EXCLUSIVE  SURVEY  The  State  of  Information  Security  2003  page  as 


THE  RESOUfffE  EOR  SECURITf 


_ 


Taking  the  gamble  out 

of  gaming  security  PAGE  30 


READY  TO  RUMBLE 

Security  executives  Bill  Boni 
and  Ira  Winkler  team  up  to 
telLyou  how  to  whip  security 

_ .  into  shape 

—  PAGE  50 


WHO  WANTS  TO  BE  A  CSO? 

One  man’s  journey  to 
acquirje^e  CSO  title 

^  PAGE  60 

*  UNDER  ATTACK 

Can  your  systems 
really  benefit  from 
penetration  testing? 

PAGE  57 


Mohegan  Sun’s 
Jim  Friel  (left) 
and  Dave  Todd 


If: 

ji| 

■  -  a 

41  $ 

1 S- 

-f 

Jj 

$ 

ii  i  . 

:  3 

B  ll 

4  IT 

IS  i 

>  Hr 

^6,  W 

lar  /  i|«  i 

dH 

■ 

HP 

Wm  i  •, J  W  i  fW  t 

Protection  in  every  location. 
Managed  and  integrated 
from  one  location. 


Introducing  the  Symantec ™  Security  Management  System. 

For  the  first  time,  security  data  from  multiple  locations, 
multiple  tiers  —  even  multiple  brands  of  information 
security  products  —  can  be  managed  with  a  single  system, 
at  a  single  console.  Which  means  that  enterprise-wide 
policy  compliance  is  finally  a  real  possibility.  It  also  means 
that  because  you’ve  simplified  your  environment,  you  can 
reduce  your  operating  costs.  And,  most  importantly,  you 
can  now  be  more  responsive  to  new  and  emerging  threats, 
eliminating  them  before  they  do  damage.  It's  part  of  a 
revolution  in  information  security,  a  revolution  that  offers 
better  protection,  efficient  management  and  ensured  business 
continuity  for  your  entire  enterprise.  For  our  latest  White 
Paper,  “Managing  Security  Incidents  in  the  Enterprise visit 
http://ses.symantec.com/USA659A8VE  or  call  800-745-6054. 


Symantec 


AM  A  CISCO 
700  ROUTER. 


I  AM  A  SNARLING 
PACK  OF 
DOBERMANS. 

I  AM  INTEGRATED  SECURITY.  I  HAVE  THE  POWER  TO  PROTECT 
YOUR  NETWORK  FROM  THE  INSIDE,  THE  OUTSIDE  AND  FROM 
EVERYWHERE  IN  BETWEEN.  I  ALWAYS  KNOW  WHO  IS  ON  THE 
GUEST  LIST  AND  HAVETHE  POWER  TO  DENYTHOSE  WHO  AREN'T 
ON  IT.  I  SNIFF  OUTTHREATS  SO  YOU  CAN  STAY  PRODUCTIVE. 

I  AM  MORE  THAN  A  CISCO  3700  ROUTER. 


THIS  IS  THE  POWER  OF  THE  NETWORK.  nOW. 


Cisco  Systems 


cisco.com/securitynow 


October  2003 

VO  L . 2  .  N  0 . 1  0 


A 


security  staff 
to  be  nice, 
until  it’s  time 
to  not  be  nice.’ 


DAVE  TODD,  VP  OF  SECURITY  AND 
SURVEILLANCE,  MOHEGAN  SUN,  PAGE  30 


24  Sarbanes,  Oxley  and  You 

SECURITY  COUNSEL  Fiona  Williams,  who  is  responsible 
for  Deloitte  &  Touche’s  security  services  practice  for 
North  America,  answers  readers’  questions  about  the 
Sarbanes-Oxley  Act. 

26  Legal  Is  from  Mars,  Security  Is 
from  Venus 

FLASHPOINT  When  the  security  team  and  corporate 
lawyers  get  together,  it’s  usually  a  rocky  relationship. 
By  David  H.  Holtzman 

60  Title  Entitlement 

CSO  UNDERCOVER  I  thought  I  ought  to  become  my 
organization’s  CSO  until  a  self-assessment  caused 
me  to  think  again. 


DEPARTMENTS 


30  cover  story  TwoofaKind 


CASINO  SECURITY  The  biggest  challenge  for  Mohegan  Sun’s 
security  and  surveillance  team?  Catch  the  crooks  before  they 
leave  the  casino  with  the  loot.  By  Daintry  Duffy 

38  The  State  of  Information  Security 

From  a  worldwide  study  conducted  by  Pricewaterhouse- 
Coopers  and  CIO  magazine,  we  look  at  where  infosec  is  in 
2003  and  where  it’s  going.  By  Scott  Berinato 

50  Fighting  Trim 

INTERVIEW  Motorola’s  Bill  Boni  and  HP’s  Ira  Winkler  tell 
security  executives  why  they  need  to  tune  up  both  for  light 
jabs  and  roundhouse  rights. 


15  Briefing 

For  an  unworthy  cause,  Phishy  business, 

Robert  Liscouski  on...,  The  day  the  lights  went 
out,  CSI  for  CSOs 

22  Wonk 

The  market  of  the  future:  Futures  markets  have  been 
used  to  successfully  predict  elections  and  sporting 
events,  so  why  not  terrorism?  By  Julie  Hanson 

57  Machine  Shop 

Under  attack:  Can  your  systems  really  benefit  from 
penetration  testing?  By  Simson  Garfinkel 
TOOLBOX  IP  protection  tools 


64  Debriefing 

Dept,  of  the  Fall  Classic 


Cover  photo  by 
Jason  Grow 


IN  EVERY  ISSUE  6  CSOonline.com  8  Letter  from  the  Editor  10  Letters  62  Index 


4  www.csoonline.com  October  2003 


Compiled  from  our  more  than  100 
offices,  our  salary  data  is  up-to-date 
and  comprehensive.  Lise  it  to  help 
recruit  and  retain  the  best  technology 
talent.  Learn  about  proven  manage- 


004 

SALARY 

GUIDE 


ROBERT  HALF 

T0  TECHNOLOGY' 


ment  strategies  from  the  industry’s 
leading  resource  for  IT  career  and 
hiring  practices. 

Call  today  for  your  free  copy  or  visit  us 
online  at  roberthalftechnology.com. 


Information  Technology  Professionals 

A  Robert  Half  International  Company 

(800)  793-5533 
roberthalftechnology.com 


©Rotert  Half  Technology  EOE 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


CSOO 


e.com 


Daily  Dose  of  CSO 

If  you  need  more  than  the  monthly  fix  of 
articles  and  analysis  of  the  security  indus¬ 
try  that  CSO  brings  you  each  issue,  visit  our 
website  ( www.csoonline.com )  for  more  of 
the  same  smart  writing  and  keen  analysis 
in  digital  form.  Bookmark  CSOonline 
.com  so  that  you  won’t  miss  the  new 
content  we  post  each  weekday.  Here’s  a 
rundown  of  what  you’ll  find: 

MONDAY 

TALK  BACK  Tell  us  what  you  think.  How 
do  CSOs  cope  with  stress?  Visit  each  week 
to  share  your  opinions  on  this  and  other 
controversial  topics. 

www.csoonline.com/talkback 

TUESDAY 

SECURITY  CHECK  Quick  and  easy.  Vote 
in  our  weekly  security  poll.  You  may  also 
check  the  results  of  previous  polls,  such  as 
“Does  radio  frequency  identification 
(RFID)  technology  pose  insurmountable 
privacy  challenges?”  Nearly  one-third  of 
respondents  said  yes;  and  another  third 
said  privacy  concerns  over  RFID  are 
overblown,  www.csoonline.com/poll 

WEDNESDAY 

ANALYST  REPORTS  We’ve  gathered 
research  and  analysis  from  respected 
sources  and  put  it  in  one  convenient  pack¬ 
age.  In  a  recent  report,  The  Yankee  Group 
examined  the  role  of  identity  management 
systems  within  the  enterprise  and  found 
that  they  are  crucial  for  managing  user 
accounts  and  accommodating  privacy 
regulations,  www.csoonline.com/analyst 


1459 


What  does  that 
number  mean? 


It  means  there’s  an  easier  way  to  find  CSO 
articles  online  than  typing  URLs.  Use  the 
DocID  number  at  the  end  of  each  feature  to 
quickly  take  you  from  the  magazine  to  related 
content  on  the  Web. 


Tell  Us  What  You  Think 


1459 


How  does  your  company  reduce  e-commerce  risk? 
Type  the  DocID  number  (above)  into  the  search  box  at 
www.csoonline.com  and  post  your  comments  online. 


FRIDAY 

POLITICS  &  POLICY  Read  our  weekly 
recap  of  action  on  the  Hill.  Get  the  full  text 
of  bills  before  the  House  and  Senate,  and 
blurbs  about  other  legislative  activity- 
inside  the  Beltway  and  out. 
www.csoonline.com/politics 

Free  Newsletters 

Keep  up  to  date  with  changes  on  our  web¬ 
site  by  subscribing  to  our  free  newsletters. 
CSO  UPDATE  highlights  CSOonline. corn’s 
most  recent  editorial  content.  CSO 
WANTED  UPDATE  alerts  you  to  the  latest 
openings  in  our  job  database.  Sign  up  now. 
www.csoonline.com/newsletters 


President  Walter  Manninen 
Group  Publisher  Gary  J.  Beach 
Publisher  Bob  Bragdon 

EDITORIAL 

Editor  in  Chief  Lew  McCreary 
Executive  Editor  Derek  Slater 
Managing  Editor  Elaine  M.  Cummings 
Managing  Editor,  Production  Cheryl  R.  Asselin 
Senior  Editors  Scott  Berinato,  Daintry  Duffy 
Research  Editor  Lorraine  Cosgrove  Ware 
Senior  Writer  Sarah  D.  Scalet 
Editor  at  Large  Simson  Garfinkel 
Copy  Chief  Tom  Wailgum 
Asst.  Managing  Editor,  Production  Kathleen  S.  Carr 

Copy  Editors  Kelli  A.  Gauthier  (Assoc.), 
Emily  S.  Henderson,  Sarah  Johnson  (Assoc.) 

Special  Projects  Manager  Lynne  Z.  Rigolini 
Editorial  Resource  Manager  Carol  Zarrow 
Editorial  Assistants  Daniel  J.  Horgan,  Joe  Sullivan 
Contributors  David  H.  Holtzman, 

Paul  Roberts,  Fiona  Williams 
Editorial  Operations  Specialist  Julie  Hanson 
DESIGN 

Executive  Director,  Art  and  Design  Mary  Lester 
Art  Director  Steve  Traynor 
Senior  Designer  Chandra  Tallman 
Design  Operations  Specialist  Rachel  Barnett 

ONLINE  EDITORIAL 

Web  Editorial  Director  Art  Jahnke 
Consulting  Editor  Janice  Brand 
Web  Editor  Sandy  Kendall 
Web  Writer  Jon  Surmacz 

ONLINE  &  INFORMATION  SYSTEMS 

Chief  Information  Officer  Mark  Hall 

ONLINE 

Senior  VP/General  Manager,  Online  Tim  Horgan 
Executive  Web  Editor  Martha  Heller 
Online  Technology  Director  Dagmar  Eiben 
Senior  Web  Developer  Ellen  Morey 
Director  of  Online  Research  Kathleen  Kotwica 
Audience  Development  Manager  Andrew  Burrell 
Web  Developers  Diane  Chen,  Shannon  Macdonald 
Online  Content  Researcher  Tara  Gillet-Liloia 
Designer  Graham  White 
INFORMATION  SYSTEMS 
Infrastructure  Manager  James  C.  Burgoyne 
User  Services  Manager  Ron  Bettencourt 

Senior  User  Services  Specialists  Michael 
Fahlsing,  Jonathan  Frappier 

Systems  Administrator  Robert  Reagan 

Y 

CXO\MEDIA  INC. 


THURSDAY 

METRICS  Did  you  know  that  businesses 
have  lost  $48  billion  in  the  past  year 
because  of  identity  theft?  Visit  each  week 
for  the  statistics  that  matter  to  security 
professionals,  www.csoonline.com/metrics 


Career  Adviser 

Need  career  advice?  Ask  CSO’s  resident 
expert,  Joyce  Brocaglia.  Visit  CAREER 
ADVISER  to  post  a  question. 

www.csoonline.com/adviser 


Founder  Joseph  L.  Levy 

INTERNATIONAL  DATA  GROUP 

Board  Chairman  Patrick  J.  McGovern 
CEO  Pat  Kenealy 

BPA  INTERNATIONAL  MEMBERSHIP 

Applied  for  August  2002 
©  CXO  Media  Inc. 


6  www.csoonline.com  October  2003 


urn- 


11' ' 


r. 


s  '/•/  gm  -.  V  ' 

,  \,  f  - 


I 


■nHH| 


' "  ■  >■-'-■  ■ '  :  ..'  Vr,/ 

^.$Sp?p 

a.4.  « i ?.  . m II .. 


■ 


■  .  .r;  X'‘C-s 

m  m  fl  Spp 

■  •  *'  ':'\‘  ■■ '  -  ■  • 

>  X  '*  )*  .  ; 


Hf 9KlHH(  L 


PfP^ 


/ 

u 

3  pPV  \ 

■  7  t 

INTRODUCING  REALSECURE 
NETWORK  7.0. 


RELEASED  JUST  AHEAD  OF 

EVIL  THREAT  6.8. 

■ 

. 


1 


ililllli 


Dynamic  Threat  Protection.  The  most  complete  protection  available.  Leading  edge  detection,  prevention 

and  response  that  stops  the  bad  guys  cold.  That’s  RealSecure®  Network  7.0.  Our  solution  offers  the  most  accurate  protection  at 
network  speeds  without  slowing  you  down.  Plus,  our  SiteProtector ’’  centralized  management  system  makes  protecting  a  large  network 
as  simple  as  the  click  of  a  mouse.  Or,  let  us  do  it  for  you  with  our  24/7  Managed  Protection  Services.  Keep  evil  one  step  behind.  Find 
out  why  RealSecure  is  the  market  share  leader,  visit  www.iss.net/iss-cso  or  call  us  at  800-776-2362. 


RealSecure  Network  7.0 

Unified  protocol  analysis  and  pattern  matching  -  that  works 
Analyzes  95  network  protocols  -  catching  even  unknown  attacks 
Nonstop  protection  at  network  speeds  up  to  IGbps 
Backed  by  X-Force.  the  world’s  # 1  security  intelligence  team 


Money  Pits 


Assorted  tales  from  the  September  news  files  got  me  think¬ 
ing  about  the  reflex  to  fling  gobs  of  money  at  a  problem. 


First,  there  was  the  man  who  shipped  himself  home  to  his  parents’  house  in  a 
box  (and  not  a  very  big,  comfy  box  at  that).  The  fact  that  he  was  able  to  do  this 
undetected— at  least  until  he  busted  out  on  the  threshold  of  his  parents’  Dallas 
home  and  startled  the  delivery  guy— raised  alarms  that,  as  one  commentator 
put  it,  “He  could  have  been  al-Qaida!” 

Somewhat  less  whimsical  and  more  sobering  was  the  recent  ABC  News  test  of 
U.S.  port  security.  Investigative  reporter  Brian  Ross  packed  up  some  depleted 
uranium  in  a  suitcase  and  shipped  it  by  boat  from  Jakarta  to  Los  Angeles.  The 
fact  that  it  journeyed  unimpeded  to  its  final  destination  was  offered  as  alarming 
proof  of  the  porousness  of  our  ports. 

And,  finally,  there  are  assorted  news  reports  of  disappointing  results  from  var¬ 
ious  tests  of  face-recognition  systems  as  a  way  to  identify  terrorists  and  criminals 
in  crowded  public  places.  The  Tampa  police  have  abandoned  their  use  of  the 
technology  based  on  its  cost  (high)  versus  its  effectiveness  (low).  While  some  air¬ 
ports  and  other  critical  infrastructure  facilities  continue  to  invest  in  pilot  deploy¬ 
ments  of  these  systems,  their  use  has  so  far  been  fraught  with  high  percentages 
of  false  positives  (that  then  have  to  be  checked  out)  and  low  reliability  in  identi¬ 
fying  members  of  known  populations,  such  as  airport  employees. 

Events  such  as  these  are  driving  us  toward  the  unhappy  conclusion  that  there 
may  in  fact  be  no  economically  viable  technology  solutions  for  many  of  the  dan¬ 
gers  we  face.  The  experience  of  drug  interdiction  is  instructive.  To  make  a  system 
that  would  be  100  percent  effective  at  intercepting  transborder  drug  shipments 
would  likely  bankrupt  the  nation.  Obviously,  we  haven’t  been  committed  enough 
to  achieving  a  perfect  capability  to  spend  ourselves  into  that  hole  (even  the  rosiest 
estimates  are  that  interdiction  catches  only  a  miniscule  percentage  of  drugs).  The 
same  bankruptcy  prediction  has  been  made  about  the  more  sinister  cargoes  of 
explosive  or  nuclear  or  biochemical  weaponry— a  menace  for  which  even  a  few 
points  short  oflOO  percent  effective  interdiction  would  amount  to  failure.  Is  there 
really  money  enough  to  go  there?  Or  do  we  admit  that,  in  the  face  of  important 
competing  social  priorities,  some  lower-level  capability  is  acceptable? 

It  is  a  worrying  fact  that  we  have  all  but  relegated  drugs  to  secondaiy  status  as 
national  threat,  confirming  the  thesis  of  author  Barry  Glassner  ( The  Culture  of 


Fear )  that  people  are  often  afraid  of  the  wrong  things. 

Which  brings  me  back  to  the  jobs  of  CSOs.  This 
month  we  publish  the  results  of  an  ambitious  global 
survey  on  the  state  of  information  security  (see  Senior 
Editor  Scott  Berinato’s  story  on  Page  38).  The  survey 
was  done  by  PricewaterhouseCoopers  and  our  sister 
publication,  CIO  magazine.  It  drew  responses  from 
more  than  7,500  executives  in  54  countries  and  in  com¬ 
panies  of  varying  sizes.  Among  Berinato’s  most  sober¬ 
ing  conclusions,  after  looking  at  the  reams  of  data,  is 
that  investments  in  stemming  the  tide  of  vulnerability 
seem  hardly  to  have  made  a  dent  so  far. 

Is  it  possible,  therefore,  that  too  much  money  is 
being  spent  on  too  many  of  the  wrong  things?  Berinato 
quotes  security  eminence  Bruce  Schneier  to  that  effect: 
“Computer  security  folks  are  always  trying  to  solve 
problems  with  technology,  which  explains  why  so  many 
computer  solutions  fail  so  miserably.” 

In  eveiy  area  of  security,  the  question  to  ask  at  every 
turn  is  whether  a  given  quantity  of  protection  is  worth 
what  it  costs  to  achieve  it.  Personally,  I  don’t  care  if 
someone  wants  to  be  stuffed  into  a  crate  and  air¬ 
freighted  around  as  though  he  were  a  bicycle.  But  it 
will  be  harder  to  decide  if  I’m  up  for  spending  enough 
to  find  Brian  Ross’s  little  uranium  shipment  without 
knowing  what  the  magic  number  is.  Could  the  ROI  of 
lowering  the  global  animosity  quotient  turn  out  to  be 
vastly  higher  than  the  ROI  of  investing  in  hundreds  of 
back-scan  X-ray  units? 

-Lew  McCreary 
mccreary  @  cxo.  com 


8  www.csoonline.com  October  2003 


PHOTO  BY  WEBB  CHAPPELL 


CCTP  would  have  made  his  life  much  easier  CCTP,  engineered  by  Anixter,  is: 


Introducing 

OCCTP 

video  surveillance  for  the  digital  age 

Want  to  know  more? 

Simply  go  to  anixter.com/CCTP 

or  call  1-800-ANIXTER. 


•  The  only  open  architecture,  standards-based, 
structured  video  surveillance  solution 

•  30%  less  expensive  than  traditional 
CCTV  systems 

•  Video,  Power  and  Control  over  one  optimized 
UTP  cable 

•  Able  to  handle  existing  analog  technology 

•  Ready  for  the  IP  surveillance  future 

»CCTP  products  exclusively  manufactured  for  Anixter  by  Belden  and  Siemon. 


‘Winner  of  the  "Best  New  Technology"  Award  at  the  Federal  Office  Systems  Expo  (FOSE) 


csoletters@cxo.  com 


IT’s  a  Matter  of  Trust 


When  waging  war,  it’s  important  to  know  who  your  enemies  are. 
It  might  be  even  more  important  to  know  the  exact  coordinates 
of  your  friends.  But  how  can  you  trust  those  friends  if  you  don’t 
know  how  they  operate?  Our  July  “Hall  Monitors”  story  empha¬ 
sized  the  need  to  know  who’s  on  your  network  and  how  they 
operate. 

MAPPING  NETWORKS  AND  PERFORMING  PENETRATION  TESTING 

may  provide  some  confidence  level,  but  if  the  people  who  we  have 
holding  the  keys  to  the  castle  intend  harm  or  to  just  plain  rip  us 
off,  all  the  other  work  could  be  wasted.  Strong,  deep  “people  due 
diligence”  should  always  be  part  of  the  mitigation  plan.  Many 
methods  exist  to  accomplish  this,  such  as  a  background  investiga¬ 
tion  that  could  reveal  a  past  history  of  similar  behavior.  It’s  the 
people,  not  the  machines! 

WILLIAM  M.  BESSE 

Director  of  Corporate  Security 
Belo 


One  Broken  Window  Begets  Another 

Ever  walk  by  a  broken  window  in  a  rundown 
building  and  feel  the  temptation  to  throw  a 
rock?  Our  June  CSO  Undercover  column, 
“Broken  Windows  in  the  Boardroom,"  empha¬ 
sized  the  importance  of  remembering  the  little 
things  that  need  to  be  fixed.  And  to  then  dole 
out  the  accountability.  This  reader  agreed. 

YOUR  JUNE  CSO  UNDERCOVER  ARTICLE 

makes  a  compelling  case  for  accountability 
as  a  fundamental  tenet  of  risk  management 
and  security  policy.  Well  done.  It  seems  so 
obvious  but,  as  the  marketing  executive  for 
a  startup  who  is  building  a  tool  squarely 
targeted  at  the  “knowledgeable,  empow¬ 
ered  insider”  from  an  information  theft  and 
misuse  perspective,  I’ve  seen  repeatedly  the 
implementation  of  policy  without  the  will 
or  the  means  to  ensure  employees  and 
other  insiders  are  accountable— and  not 
merely  responsible— for  their  actions. 

BILL  FLETCHER 

VP  of  Business  Development 
Verdasys 

The  Heat  Is  On 

In  baseball,  when  a  pitcher  is  described  as 
“bringing  the  heat,"  it  means  he’s  going  to 
throw  the  ball  with  great  force.  If  you  fear  the 
heat,  you’ll  need  to  step  back  from  the  plate. 
Same  is  true  in  security.  But  our  July  column, 
“If  You  Can't  Stand  the  Heat,  Don’t  Call 
’Em,”  provoked  a  bit  of  rage.  It’s  about  call¬ 
ing  in  law  enforcement— the  heat,  if  you  will. 
Apparently,  several  of  you  won’t. 

THIS  ARTICLE  UNDULY  SPREADS  FEAR 

and  perpetuates  the  urban  myth  that  call¬ 
ing  in  law  enforcement  for  an  IT  penetra¬ 
tion  incident  should  be  avoided.  And  it 
undermines  our  collective  security  efforts. 

Calling  in  law  enforcement  when  eco¬ 
nomic  losses  exceed  $5,000  (which  is  not 
very  difficult  to  quantify)  can  benefit  a 
business  by  limiting  liability,  mitigating 
damage  and  helping  stop  perpetrators,  yet 
it  does  remain  a  business  decision. 


10  www.csoonline.com  October  2003 


How  to  Reach  Us 


Notification  of  the  penetration  through 
the  InfraGard  organization  gives  the  com¬ 
pany  the  choice  to  simply  report  without 
having  company-identifying  information 
revealed  and  allows  others  to  be  alerted  to 
the  exploit  before  they  encounter  it  in  their 
network  on  an  opt-in  basis.  A  simple  report 
through  InfraGard  serves  the  higher  pur¬ 
pose  to  reduce  our  shared  risk.  A  critical 
mass  of  real-world  incident  data  can  con¬ 
tribute  greatly  to  analysis  and  trending, 
resulting  in  improvements  in  preventive, 
investigative  and  incident-reduction  efforts. 
Submission  of  incident  data  without  fear  of 
a  confidentiality  leak  or  loss  of  control  is  an 
important  message  and  one  that  was  com¬ 
pletely  missing  in  this  article.  For  more  on 
incident  reporting  through  InfraGard,  see 
www.infragard.net/ireporting.htm. 

BETTY  PIERCE 

President 

Secure  Network  Systems 

FBI  InfraGard  Denver  Board  Member 

A  FORMER  SECURITY  OFFICER  FOR  THE 

Department  of  Energy  recommended  a 
different  route  to  report  computer  crime. 

I  forwarded  the  process  to  a  company  that 
used  it  successfully.  The  company  hired  a 
private  security  company  to  come  in  and 
compile  the  evidence.  The  security  com¬ 
pany  assisted  in  taking  the  evidence  to  the 
authorities.  The  process  worked  very  well, 
and  the  company  was  successful  in  court. 
PHIL  SHOCKLEY 

CIO 

Payday  People  Plus 

Patchy  Prayers 

In  August,  we  told  you  to  patch.  And  to  pray. 
Some  of  you  found  that  advice  sinful. 

ALTHOUGH  PATCHING  IS  A  CHORE,  IT 

is  the  only  way  to  currently  keep  the  van¬ 
dals  and  their  viruses  at  bay.  Slammer  was 
a  very  tricky  exploit,  but  most  worms  are 
not  as  sophisticated  and  most  patches  are 
beneficial. 


On  the  other  hand,  the  big  problem  is 
the  lack  of  liability  that  the  software  pub¬ 
lisher  faces  in  the  real  world.  Every  license 
stipulates  that  the  publisher  is  not  respon¬ 
sible  for  “collateral  damage”  resulting  from 
the  use  of  the  software.  This  is  like  a  car- 
maker  saying  that  its  liability  is  limited  to 
the  car  itself  and  not  the  passengers  or 
pedestrians. 

If  there  is  no  incentive  to  make  the  soft¬ 
ware  more  secure  through  exhaustive  test¬ 
ing,  the  publishers  will  not  do  it.  If  industry 
reviewers  criticize  a  company  for  being  late 
to  market  because  of  thorough  testing,  as 
Microsoft  was  with  Windows  95,  then  we 
can  expect  more  buggy  code. 

Software  publishers  have  the  most 
restrictive  rights  of  any  intellectual  prop¬ 
erty  I  can  think  of.  Along  with  that  should 
come  a  responsibility  to  produce  the  best, 
most  thoroughly  tested  product  possible. 

TERRY  CLARK 

Systems  Manager 

The  Republic 

WE  MUST  FIND  WAYS  TO  AUTOMATE 

the  maintenance  of  systems.  We  cannot 
hope  to  defend  against  sophisticated 
automated  exploits  without  sophisticated 
automated  defenses! 

CONNIE  SADLER 

IT  Security  Officer 

Brown  University 

I  WANT  TO  SPECIFICALLY  COMMENT 

on  the  article’s  commentary  that  patching 
no  longer  works.  There  clearly  are  patch 
horror  stories,  as  there  are  horror  stories 
with  every  other  type  of  security  counter¬ 
measure.  That  doesn’t  mean  that  patching 
doesn’t  improve  security  as  a  whole. 

While  there  is  a  need  for  improvements 
in  the  process  of  deploying  patches,  it  does 
work  when  applied  well.  Do  we  claim  that 
seatbelts  don’t  work  because  an  accident 
victim  didn’t  wear  one?  Blaster  was  an 
example  where  well-applied  patching 
greatly  minimized  potential  damage; 


E-MAIL 

csoletters@cxo.com 

PHONE 

508  872-0080 

FAX 

508  879-7784 

ADDRESS 

CSO  Magazine 

492  Old  Connecticut  Path,  P.0.  Box  9208 
Framingham,  MA  01701-9208 

SUBSCRIBER  SERVICES 

phone:  866  354-1125 
fax:  847  564-9453 
e-mail:  cso@omeda.com 

REPRINTS 

For  article  reprints  (500  quantity  or  more),  please  con¬ 
tact  Chad  Johnston  at  RSiCopyright  at  651  582-3800 
or  e-mail  csoreprints@rsicopyright.com. 

ABOUT  IDG  International  Data  Group  (IDG),  the  lead¬ 
ing  global  provider  of  IT  media,  research,  conferences 
and  events,  informs  more  people  about  technology  than 
any  other  company  in  the  world.  Offering  the  widest 
range  of  media  options,  IDG  reaches  more  than  120 
million  technology  buyers  in  85  countries  represent¬ 
ing  95  percent  of  worldwide  IT  spending.  IDG  publishes 
more  than  300  newspapers  and  magazines  in  85  coun¬ 
tries,  led  by  the  Computerworld,  Infoworld.  Macworld. 
Network  World,  PC  World  and  CIO  global  product 
lines.  IDG  offers  online  users  the  largest  network  of 
technology-specific  sites  around  the  world  through 
IDG.net  ( www.idg.net ),  a  gateway  to  IDG's  330  web¬ 
sites  powered  by  more  than  2,000  journalists  reporting 
from  every  continent  in  the  world.  IDG  also  produces 
168  technology-related  conferences  and  events,  and 
research  company  IDC  provides  global  market  intelli¬ 
gence,  analysis  and  forecasts  in  43  countries. 


however,  it  was  not  a  perfect  solution.  For 
that  matter,  nothing  is  the  perfect  solution 
The  only  people  selling  perfect  security 
solutions  are  fools  or  liars.  What  is  needed 
is  Defense  in  Depth  and  properly  trained 
staff.  Articles  that  give  the  impression  that 
patching  as  a  whole  is  ineffective  are  dan¬ 
gerous. 

IRA  WINKLER 

Chief  Security  Strategist 

HP 

We  want  to  hear  from  you 

E-mail  criticism,  thoughts  and  suggestions  to 
cso/effers@cxo.com.  You  can  find  the  stories  mentioned  in 
these  letters  at  www.csoonline.com/printlinks. 


October  2003  www.csoonline.com  11 


Dr.  Larry  Ponemon  is  a  pioneer  in  the  develop¬ 
ment  of  privacy  audits,  privacy  risk  management  and 
ethical  information  management,  and  is  the  chairman 
and  founder  of  The  Ponemon  Institute  in  Tucson,  AZ. 


UNISYSp  R  E  S  E  N  T  S 

theEXPERT 


A  few  minutes  with  Dr.  Larry  Ponemon, 
chairman  and  founder,  Ponemon  Institute 


Security  and  Risk:  Calculating  ROI 


>  Some  say  that  calculating  ROI  and  ROSI  is  an  art, 
implying  that  it  is  not  precise.  Why  is  this  the  case? 

Since  security  affects  many  different  business  activities  and 
areas  of  an  organization,  there  is  no  one  single  program  or 
process  to  manage  and  measure.  Thus,  the  challenge  is  to 
understand  the  interrelationships  between  a  company’s  IT 
infrastructure  and  various  business  processes.  For  each  busi¬ 
ness  process,  you  need  to  define  the  true  costs  of  security 
as  well  as  the  opportunity  costs  that  can  be  incurred  if  rea¬ 
sonable  security  is  not  adequately  maintained.  The  good 
news  is  that  other  complex  and  subjective  areas — such  as 
total  quality  management  (TQM) — are  now  being  measured 
using  traditional  methods. 

>  What  metrics  should  be  used? 

ROSI  can  be  measured  by  using  three  different  cost  dimen¬ 
sions  to  understand  the  organization’s  investment  in  a  secu¬ 
rity  initiative.  These  are  direct  cost,  indirect  cost  and  oppor¬ 
tunity  cost.  Direct  cost  is  the  direct  expense  outlay  to 
accomplish  a  given  activity,  such  as  purchasing  an  intrusion 
detection  system  or  firewall  technology.  Indirect  cost  is  the 
amount  spent  in  time,  effort  and  other  organizational 
resources — but  not  as  a  direct  cost  outlay.  An  indirect  cost 
could  be  the  time  spent  installing  a  new  technology  and 
working  out  any  of  the  glitches.  The  opportunity  cost  is  the 
cost  resulting  from  inefficient  or  ineffective  compliance, 
including  the  cost  of  failure  or  non-compliance.  This  could 
be  a  consequence  of  not  having  sufficient  perimeter  controls 
protecting  sensitive  information  such  as  intellectual  prop¬ 
erty,  customer  data  and  employee  records. 

>  What  typical  rate  of  ROI  or  ROSI  can  a  company 
expect? 

Companies  can  expect  a  fairly  volatile  short-term  ROSI. 
Events  such  as  equipment  failures  or  malicious  attacks  on  the 
system  mean  that  information  security  costs  can  spike  unex¬ 
pectedly.  Over  time,  however,  a  true  ROSI  should  be  equal 
to  other  capital  investments,  so  it’s  important  for  companies 
to  take  a  long-term  approach  to  ROSI.  I  should  note  that  the 
equalization  ROSI  only  occurs  when  an  organization  man¬ 
ages  its  IT  infrastructure  in  a  holistic  fashion,  as  opposed  to 
a  piecemeal  approach. 

>  How  important  is  it  that  people,  processes,  poli¬ 
cies  and  platforms  be  integrated  into  an  enter¬ 
prise  security  management  solution? 

In  my  view,  the  goal  of  achieving  reasonable  security  of  a  com¬ 
pany’s  IT  infrastructure  requires  an  integration  of  the  right 
mix  of  software,  hardware,  people,  policies  and  practices. 
Without  integration,  the  consequences  to  an  organization  can  be: 


•  Wasted  resources  due  to  redundancies  and  duplications  in 
systems  and  applications. 

•  Employee  negligence  or  abuse  due  to  lack  of  understanding 
about  the  company’s  security  program  policies  and  processes. 

•  Conflicting  and  contradictory  policies  that  create  a  loss  of 
credibility  and  trust  in  the  security  of  the  infrastructure. 

•  Inadequate  understanding  of  the  risks  to  the  organization, 
which  can  result  in  making  the  organization  susceptible  to  cat¬ 
astrophic  events. 

“Over  time,  a  true 
ROSI  should  be 
equal  to  other  cap¬ 
ital  investments. 

>  Can  security  initiatives  be  as  much  about  business 
creation  as  intrusion  prevention? 

More  and  more  people  are  becoming  knowledgeable  about 
information  security  risks,  such  as  identity  theft.  This  height¬ 
ened  awareness  may  be  used  as  a  strategic  business  advan¬ 
tage  by  some  organizations — especially  those  that  obtain 
sensitive  personal  information  about  people  and  their  fami¬ 
lies.  Thus,  there  is  an  upside  to  becoming  a  security  exem¬ 
plar.  In  turn,  the  downside  associated  with  a  security  breach 
or  violation  can  damage  business  relationships,  reputation 
and  brand  in  the  marketplace. 

>  What  are  the  key  criteria  for  prioritizing  security 
initiatives? 

The  Ponemon  Top  Five  List: 

1.  Assess  risks  and  areas  of  vulnerability  to  the  company’s 
infrastructure. 

2.  Understand  the  risks  of  non-compliance  with  privacy  and 
security  laws  and  regulations. 

3.  Understand  the  employee-related  security  risks  and  make 
sure  you  provide  the  appropriate  level  of  training  to  all  indi¬ 
viduals  in  the  organization. 

4.  Determine  the  costs  associated  with  business  interrup¬ 
tions  that  can  occur  in  different  areas  of  the  organization. 

5.  Measure  and  monitor  the  program  to  ensure  compliance 
with  your  security  goals. 

For  more  information,  please  call  800-874-8647  x381  or 
visit  www.unisys.com/security 

UNiSYS 

Imagine  it.  Done. 


L 


How  secure  is  secure? 

We  help  uncover  the  cyber 
risks  so  AIG  can  provide 
more  cyber  insurance 


Outsourcing 


Infrastructure 


than  anyone  else 


Server  Technology 


Consulting 


Imagine  it: 

'  .  '  •  •  .  •' ■  V.  . .. 

‘ 

Underwriting  cyber  risks  -  from  viruses  to  cyber¬ 
extortion.  How  do  you  provide  insurance  for  these 
new  and  devastating  threats?  You  understand  them 
first  -  and  work  with  a  partner  who  could  uncover  a 
broad  range  of  security  and  technology  gaps. 


Done: 

AIG’s  eBusiness  Risk  Solutions  Group  partnered 
with  Unisys  and  leapt  together  into  cyber  protection 
Today,  AIG  eBRS  provides  most  of  the  world’s 
network  security  and  cyber  insurance.  And  Unisys 
integrates  planning  and  protection  for  a  broad 
range  of  needs  like  privacy.  Identity.  Collaboration. 
Business  Continuity.  Infrastructure.  Our  holistic 
approach  is  one  reason  why  Unisys  has  been 
awarded  IT  security  integration  for  U.S.  airports. 

Can  we  help  you  identify  security  gaps?  Call  us. 


Security  with  precision  thinking  and  relentless 
execution  to  drive  your  vision  forward. 


Imagine  it.  Done 


www.unisys.com/security  800.874.8647  x372 


Insurance  underwritten  by  member  companies  of  American. 
International  Group,  inc.  (AIG)-  ©  2003  Unisys  Corporation. 
Unisys  is  a  registered  trademark  of  Unisys  Corporation. 


laHEiCTHgSaa 

mmsSR 

WmSMm 


C6ACH  ^0( 

—  /Sfjfslv  V  ^ 


-  o>Lt 

CLP-T  1ft  6^X  I  £>M 
-  TR.1  p  TO  ^ 
£f  h&hCO*?  %?* 


S&cvwt^ 

SETS  ^ou 


Security  is  the  last  thing  on  this  Chief  Security  Officer’s  mind.  That’s  because  it’s 
the  first  thing  on  ours.  Armed  with  real-time  information  and  response  capabilities 
from  VeriSign’s  Security  Intelligence  and  Control8"1  Services,  he  can  now  take  the 
initiative.  Play  offense,  rather  than  defense.  Focus  on  the  kinds  of  projects  that  will 
keep  his  Fortune  500  publishing  company  competitive,  like  establishing  a  global 
VPN.  And  reducing  operating  costs.  Now  he  can  think  freely.  At  least  until  an 
editor  calls,  wanting  to  stop  the  presses. 


To  learn  more  about  Verisign's  new  Security  Intelligence  and  Control5" Services,  visit  www.verisign.com 


The  Value  of  Trust5" 


©  2003  VeriSign,  Inc.  All  rights  reserved.  VeriSign,  the  VeriSign  logo,  Security  Sets  You  Free,  Security  Intelligence  and  Control,  and  other  trademarks,  service  marks,  and  logos  are  registered  or 
unregistered  trademarks  of  VeriSign  and  its  subsidiaries  in  the  United  States  and  in  foreign  countries. 


VIRUSES  Human  frailty,  spam  and 
a  dangerous  Microsoft  Windows  vulner¬ 
ability  combined  to  produce  a  flood  of 
new  Internet  worm  attacks  in  August. 
There  were  four  major  worm  infections, 
including  the  Aug.  11  appearance  of 
W32.Blaster,  a  virulent  new  worm  that 
exploits  a  flaw  in  a  Windows  protocol. 

Blaster  spread  worldwide  in  a  matter 
of  hours,  infecting  hundreds  of  thou¬ 
sands  of  machines.  A  poll  of  1,100 
organizations  by  TruSecure  found  that 
almost  21  percent  were  infected  by 


Have  you  reviewed  the 
effectiveness  of  your 
infosec  policies  in  the 
past  12  months? 


Blaster.  As  Blaster  tailed  off,  new  worms 
emerged  that  exploited  the  same  vulner¬ 
ability.  At  the  same  time,  a  new  version 
of  the  Sobig  worm,  Sobig.F.  began 
bombarding  e-mail  accounts  around 
the  world. 

But  contrary  to  appearances,  the 
recent  spate  of  large  outbreaks  does  not 
herald  the  arrival  of  a  more  dangerous 
generation  of  worms.  Master  took  very 
little  skill  to  write  and  improvements  in 
Sobig's  ability  to  self-replicate  was  the 
reason  for  its  virulence. 

Media  attention  given  to  the  worm 
outbreaks  is  also  to  blame,  says  Neel 
Mehta,  a  research  engineer  at  Internet 
Security  Systems  X -Force.  “Virus  writ¬ 
ers  get  recognized,  and  that  encourages 
them  and  others,"  he  says.  While 
experts  tend  to  agree  on  the  reasons 
behind  the  new  worm  outbreaks,  there 
is  less  consensus  about  what  to  do  to 
stop  them  in  the  future. 

Most  agree  that  vendors  need  to  do  a 
better  job  of  weeding  out  security  holes 


to  be  better  about  promptly  applying 
software  patches. 

But  others  lay  blame  at  the  feet  of 


their  customers  to  apply  patches  to 
be  protected  against  new  threats. 
“Traditional  antivirus  protection  is  very 
reactive  in  nature.  Antivirus  vendors 
don't  know  about  a  new  virus  until  their 
switchboards  start  to  fight  up  with  calls 
from  their  customers,  then  it's  a  race 
against  rime."  says  Mark  Sunner,  CTO 
at  MessageLabs,  an  e-mail  security 
provider.  -Paul  Roberts 


For  an  Unworthy  Cause 

RISK  MANAGEMENT  Charitable  giving  is  becoming 
another  risk  management  decision  for  companies  to  weigh.  For 
years  corporations  have  given  money  directly  to  charities  and 
have  often  matched  employee  donations.  But  potential  liability 
prescribed  by  the  USA  Patriot  Act  has  put  on  the  brakes.  The  act 
makes  it  a  federal  offense  to  financially  support  terrorism.  Unless 
companies  are  willing  to  follow  the  money  trail  of  every  donation 
they  make,  they  could  be  held  criminally  liable  for  their  charita¬ 
ble  givings.  “[Executives]  are  just  now  identifying  that  they  have 
a  real  criminal  problem  on  their  hands  that  is  on  par  with  Sar- 
banes-Oxley,”  says  Craig  Wichner,  CEO  of  KindMark,  a  provider 
of  online  corporate  giving  services.  “Any  company  that  isn’t  con¬ 
cerned  about  this  doesn’t  understand  the  problem.” 

About  70  percent  of  large  corporations  have  some  sort  of 
charitable  giving  program.  Wichner  points  out  that  in  some  cases 
those  companies  support  20,000  to  30,000  charities  apiece. 
Screening  every  charity  is  a  logistical  nightmare.  The  government 
has  criteria  that  it  uses  to  screen  charitable  organizations,  and 
companies  might  be  expected  to  follow  the  same  procedures. 

KindMark’s  Web  platform  automates  the  donation  process  for 
companies,  but  because  of  the  Patriot  Act,  the  company  has  had 
to  take  on  the  charity  investigation  process  for  its  customers. 
KindMark  screens  all  charities  before  they  get  listed  on  its  site 
and  again  before  money  is  sent.  The  company  has  more  than 
850,000  approved  charities  on  its  platform.  But  the  wording  of 
the  Patriot  Act  is  vague,  and  regardless  of  how  companies  try  to 
address  the  tracking  of  charitable  giving,  it’s  a  judgment  call  as  to 
whether  they  are  providing  a  “reasonable"  degree  of  screening. 
“Companies  that  support  these  good  programs  deserve  to  do  it 
without  the  fear  or  concern  of  being  named  [as  a  supporter  of 
terrorism],”  says  Wichner.  -Daintry  Duffy 


News,  Stats  and  Fast  Facts 

Edited  by  Kathleen  Carr  and  Daintry  Duffy 


On  the  Offensive 


Eighteen  percent  of  online  respondents 
have  not  reviewed  their  security  policies 
in  the  past  year.  Twenty-five  percent  of 
the  7,500  respondents  to  our  survey  said 
the  same.  Where  will  this  trend  lead  us? 
For  more  survey  results,  read  “The  State 
of  Information  Security  2003”  starting 
on  Page  38. 


ILLUSTRATIONS  BY  CHRIS  PYLE 


October  2003  www.csoonline.com  15 


the  popular  PayPal  online  payment  service  were 
swindled  recently  after  identity  thieves  used  spam 
and  phony  websites  to  swipe  their  personal  billing 
data  and  credit  card  numbers. 

The  PayPal  scams  and  others  like  it  point  to  the 
growing  problem  of  identity  theft  on  the  Internet. 
The  U.S.  Federal  Trade  Commission  reports  that 
identity  theft  has  been  the  top  complaint  registered 
in  its  Consumer  Sentinel  database  for  the  past 
three  years.  And  in  July,  Gartner  said  that  in  a 
survey  of  approximately  2,400  households, 

3.4  percent  of  U.S.  consumers  had  been  victims 
of  identity  theft.  Translation:  More  than  7  million 
consumers  were  victims  of  identity  theft  from 
June  2002  to  June  2003. 

The  increased  identity  theft  activity  prompted 
the  FTC,  FBI,  the  National  Consumers  League  and 
ISP  EarthLink  to  publicly  warn  Internet  users  about 
the  dangers  of  online  identity  theft  scams.  In  par¬ 
ticular,  the  groups  pointed  to  the  growing  numbers 
of  so-called  “phisher”  websites,  which  are  designed 
to  look  exactly  like  legitimate  Web  addresses,  such 
as  Amazon.com,  BestBuy.com  and  PayPal.com. 

Customers  of  those  sites  are  often  lured  by 
spam  purporting  to  come  from  a  customer  support 
rep  at  the  company.  The  e-mail  messages  provide 
Web  links  to  the  phisher  sites  and  ask  customers  to 
update  their  account  information,  often  threatening 
to  cut  off  their  accounts  if  they  don’t. 


When  victims  enter  their  information 
into  forms  provided  on  the  phony  sites, 
that  information  is  sent  to  servers  owned 
by  the  thieves,  which  are  often  located 
outside  the  United  States. 

Since  the  beginning  of  2003,  a  number 
of  high-profile  companies  have  had  their 
good  names  sullied  by  phisher  e-mail 
scams,  including  Citibank  NA  and  Best 
Buy. 

CSOs  can  take  steps  to  educate 
employees  about  such  dangers.  The  FBI 
suggests  the  following  tips: 

Exercise  extreme  caution  when  re¬ 
sponding  to  unsolicited  e-mail  messages 
that  ask  you  for  personal,  financial  or  identifying 


UJUrAK  TJWltiJN  ji  u  t 

BIG,  SCARY  NUMBERS 


Identity  theft  in  the  U.S. 
has  cost  consumers 


annually  since  January  2001 


How  Police  Officers  Are  Trying  to  Help 

LAW  ENFORCEMENT  In  July,  the  Secret  Service,  Federal  Trade  Commission  and  U.S.  Postal 
Inspection  Service  joined  the  International  Association  of  Chiefs  of  Police  (IACP)  to  unveil  a  new  resource 
to  teach  officers  in  more  than  40,000  U.S.  police  departments  to  recognize  and  fight  identity  crimes. 

The  groups  are  distributing  a  combination  video  and  CD-ROM  called  the  Identity  Crime  Interactive 
Resource  Guide  to  increase  police  officers’  understanding  of  identity  crime.  The  CD  contains  more  than  40 
resources  that  officers  can  use  to  pursue  identity  thieves,  as  well  as  resources  for  victims  of  identity  theft. 

Much  of  the  information  on  the  CD  is  geared  toward  getting  cops  to  recognize  identity  theft  as  a  motive 
in  what  was  previously  considered  ordinary  property  theft,  such  as  purse  snatching,  says  Gene  Voegtlin, 
legislative  counsel  for  the  IACP.  Cops  are  also  taught  about  the  international  dimensions  of  a  problem  that 
was  once  thought  of  as  a  local  nuisance.  With  the  robust  trade  in  false  documents,  identity  theft  can  be  a 
crime  with  connections  to  terrorism  and  implications  for  domestic  security,  says  the  Secret  Service. 

Despite  that  fact,  it  is  local  law  enforcement  rather  than  the  Department  of  Homeland  Security  that  is 
on  the  front  lines  of  the  war  on  identity  theft  because  victims  are  likely  to  contact  the  local  police  depart¬ 
ment  first,  Voegtlin  says.  -P.R. 


SOURCE:  HARRIS  INTERACTIVE  2003 


information,  such  as  a  Social  Security  number, 
account  password  or  credit  card  number. 
Navigate  to  a  company’s  website  yourself  if  you 
need  to  update  account  information,  rather  than 
following  links  to  a  site  from  an  e-mail  message 
or  another  website. 

Beware  of  sites  that  have  long  or  odd-sounding 
domain  names.  Phisher  sites  often  use  legitimate¬ 
looking  Internet  addresses.  For  example: 
www.paypal-billingnetwork.net  was  the  address 
of  a  recent  phisher  site  targeting  PayPal 
(www.paypal.com)  customers. 

Report  suspicious  e-mail  messages  to  your  ISP, 
and  contact  the  company  in  question  if  you  have 
concerns  about  an  e-mail  message  that  you 
received. 

Contact  your  local  police  if  you  feel  you’ve 
been  victimized,  and  file  a  complaint  with  the 
FBI’s  Internet  Fraud  Complaint  Center  at 
www.ifccfbi.gov.  -Paul  Roberts 


PHISHY  BUSINESS 

IDENTITY  THEFT  Some  customers  of 


16  www.csoonline.com  October  2003 


CIO  ADVERTISING  SUPPLEMENT 


EVERY  STEP  OF  THE  WAY 


(ISC)23’  Provides  the  Gold  StandardSM  of  Certification 
for  Security  Professionals  Throughout  Their  Career  Path 


QWhat  do  the  U.S.  National 
Security  Agency,  Deloitte- 
Touche  Consulting,  U.S 
Veterans  Administration,  Novell 
Inc.,  and  the  Federal  Aviation  Ad¬ 
ministration  have  in  common? 

A  All  increasingly  expect  the 
employees  they  entrust 
with  critical,  confidential, 
and  valuable  data  to  have  earned 
the  information  security  profes¬ 
sion’s  top  seal  of  approval:  (ISC)2 
certification. 

Those  organizations  are  among  a 
diverse,  fast-growing  group  of  em¬ 
ployers  who  view  the  International  In¬ 
formation  Systems  Security  Certifi¬ 
cation  Consorium  — better  known  as 
(ISC)2— as  the  best  resource  for  find¬ 
ing  the  best-qualified  security  profes¬ 
sionals. 

(ISC)2— pronounced  “I-S-C  squared” 
—  has  long  granted  the  industry’s  most 
sought-after  credential  for  mid-  and 
senior-level  information  security  pro¬ 
fessionals,  the  title  of  Certified  Informa¬ 
tion  Systems  Security  Professional 
(CISSP®).  Earning  that  title  is  no  cake¬ 
walk:  Candidates  must  log  four  years  of 
professional  experience,  subscribe  to 
(ISC)2’s  Code  of  Ethics,  and  pass  a  rig¬ 
orous  six-hour  exam.  While  other  cre¬ 
dential-granting  organizations  exist,  the 
CISSP  remains  the  global  “gold  stan¬ 


dard“  for  information  security  certifica¬ 
tion.  Additionally,  (ISC)2  offers  the 
Systems  Security  Certified  Practitioner 
(SSCP®)  for  systems,  network,  and 
security  administrators.  The  SSCP  cre¬ 
dential  requires  one  year  of  profession¬ 
al  experience,  passing  a  four-hour 
exam,  and,  of  course,  subscribing  to 
(ISC)2’s  Code  of  Ethics. 

While  other  industry  certifications 
tend  to  be  highly  specialized,  often 
involving  a  specific  vendor,  (ISC)2  “is 
really  a  foundational  certification  that 
shows  an  understanding  of  security 
from  a  holistic  viewpoint,44  says  Michael 
Rasmussen,  an  analyst  with  Forrester 
Research  Inc.  In  addition,  Rasmussen 
says,  (ISC)2  credentialing  offers  un¬ 
paralleled  credibility,  requiring  recipi¬ 
ents  to  demonstrate  not  just  correct 
test  answers,  but  a  track  record  in  the 
field  as  well. 

To  date,  (ISC)2  has  certified  nearly 
20,000  information  security  profession¬ 
als  in  90  nations;  that  number  is  expect¬ 
ed  to  reach  50,000  in  2006. 

Now,  in  response  to  marketplace 
demand,  (ISC)2  offers  education,  train¬ 
ing,  and  credentials  for  security  profes¬ 
sionals  at  every  stage  of  their  career— 
from  recent  college  grads  to  veteran 
CISSPs  and  SSCPs  seeking  additional 
certifications  for  expertise  in  a  special¬ 
ty  area.  “We  want  to  focus  on  the  whole 
career  path,”  says  Dow  A.  Williamson, 
director  of  communications  for  the 


It’s  What  You  Know: 

The  (ISC)2  CBK™ 

Security  professionals  seeking 
CISSP  certification  must  have 
working  knowledge  in  10  domains 
of  the  CBK: 

■  Security  Management  Practices 

■  Security  Architecture  and  Models 

■  Access  Control  Systems  & 
Methodology 

■  Application  Development  Security 

■  Operations  Security 

■  Physical  Security 

■  Cryptography 

■  Telecommunications,  Network  & 
Internet  Security 

■  Business  Continuity  Planning 

■  Law,  Investigations  &  Ethics 

Security  practitioners  seeking 
SSCP  certification  must  have 
working  knowledge  in  7  domains 
of  the  CBK: 

■  Access  Controls 

■  Administration 

■  Audit  and  Monitoring 

■  Cryptography 

■  Data  Communications 

■  Malicious  Code/Malware 

■  Risk,  Response  and  Recovery 


<  1  > 


CIO  ADVERTISING  SUPPLEMENT 


In  response  to  marketplace  demand,  (ISC)2 

offerseducation,  training  and  credentials  for 
security  professionals  at  every  stage  ot  their  careers. 


Vienna,  Va.-based  (ISC)2— and  himself  a 
CISSP.  “We  want  to  provide  cradle-to- 
grave  support  for  information  security 
professionals.” 

Of  course,  requirements  for  the  new 
(ISC)2  offerings  vary  greatly,  depending 
on  candidate  skill  and  experience  levels. 
But  all  are  designed  to  provide  the  same 
gold-standard  level  of  proficiency  as  the 
flagship  CISSP. 

And  that’s  guaranteed  to  benefit  two 
target  audiences.  First,  there  are  employ¬ 
ers,  such  as  the  U.S.  Department  of 
Veterans  Affairs  and  others  mentioned 
above,  who  seek  the  very  best  job  candi¬ 
dates.  Second,  and  equally  important,  are 
security  professionals  seeking  the  very 
best  jobs  — no  matter  where  they  are  in 
their  careers. 

The  Security  Evolution 

(ISC)2  was  born  in  1989.  when  several 
professional  associations  joined  forces  to 


create  a  single  set  of  standards  for  pro¬ 
fessionals.  Soon  afterward,  companies 
worldwide  began  opening  their  computer 
networks  to  telecommuting  employees, 
contractors,  partners  and  customers,  pro¬ 
moting  greater  accessibility  but  also  cre¬ 
ating  more  potential  threats  to  data  secu¬ 
rity.  Then  came  the  World  Wide  Web.  E- 
commerce,  online  databases,  intranets 
and  extranets,  and  even  e-mail  and 
instant  messaging  generated  still  more 
security  risks:  hacker  attacks  on  systems 
or  Web  sites,  theft  of  credit-card  numbers 
or  confidential  data,  system  slowdowns 
or  damage  from  computer  viruses. 

Not  surprisingly,  as  network  and 
Internet  access  grew,  so  did  the  demand 
for  highly  skilled  information  security 
specialists.  And,  of  course,  the  need  for 
constantly  updated,  industry-wide  stan¬ 
dards  kept  pace,  too.  By  October  2002, 
(ISC)2  had  certified  10,000  CISSP  certi¬ 
fications;  over  the  next  10  months,  that 


number  nearly  doubled. 

Meanwhile,  (ISC)2  evolved  as  well. 
The  non-profit  consortium  kept  building 
its  CBK,  the  trademark  compendium  of 
industry  best  practices  begun  with 
(ISC)2’s  founding  in  1989.  Questions  for 
all  (ISC)2  exams  are  drawn  from  the 
continuously  updated  CBK  (see  “It’s 
What  You  Know,”  page  1). 

In  2001 ,  (ISC)2  launched  a  new  creden¬ 
tial,  the  Systems  Security  Certified 
Practitioner  (SSCP).  That  certification 
supports  professionals  in  more  technical 
security  roles,  such  as  Network  and 
Security  Administrators.  To  date,  (ISC)2 
has  awarded  nearly  500  SSCPs  world¬ 
wide.  Organization  officials  expect  de¬ 
mand  to  grow  as  employers  discover  the 
credential’s  value  and  increasingly  expect 
to  see  it  on  resumes. 

Now  (ISC)2  offers  that  same  gold-stan¬ 
dard  level  of  support  for  info-security 
pros  at  every  step  in  their  careers: 


(ISC)2  at  a  Glance 


Name: 

Location(s): 

Founded: 


International  Information  Systems  Security  Certification  Consortium;  also  known  as  (ISC)2. 
Vienna,  VA  (headquarters);  Palm  Harbor,  FL  (operations);  London,  U.K.;  Hong  Kong,  China. 
1989 


Description:  (ISC)2  is  a  non-profit  organization  that  has  certified  approximafely  20,000  information 

security  professionals  in  more  than  90  countries  over  the  past  15  years.  Dedicated  to 
providing  information  security  professionals  with  the  standard  for  professional  certification, 
(ISC)2  grants  two  vendor-neutral  credentials:  the  Certified  Information  Systems  Security 
Professional  (CISSP)  and  the  Systems  Security  Certified  Practitioner  (SSCP).  CISSP  and  SSCP 
credentials  are  based  upon  (ISC)2’s  CBK,  a  compendium  of  industry  “best  practices"  for 
information  security  professionals,  and  require  years  of  professional  experience  in  their 
field  prior  to  certification.  (ISC)2  also  serves  as  an  advocate  on  public  policy  issues  affect¬ 
ing  the  information  security  profession. 

Executive  Director:  James  E.  Duffy,  CISSP 


Motto:  Security  Transcends  TechnologySM 

Scope:  Nearly  20,000  certifications  in  90  nations.  By  2006,  50,000  certifications  in  100  nations  worldwide 

Contact:  (ISC)2 


1964  Gallows  Road,  Suite  210 
Vienna,  Virginia  22182  U.S.A. 
Phone:  888-333-4458 

Fax:  703-356-7977 

Email:  info@isc2.org 

Web  Site:  www.isc2.org 


<2  > 


CIO  ADVERTISING  SUPPLEMENT 


Employer’s  Perspective: 

I  can’t  imagine  not  having  this  certification. 


When  Bruce  A.  Brody  joined  the  U.S.  Department  of  Veterans 
Affairs  in  March  2001 ,  he  was  only  the  agency’s  third  Certified 
Information  Systems  Security  Professional  (CISSP). 

“Now  we  have  42,”  says  Brody,  who,  as  the  department’s  asso¬ 
ciate  deputy  assistant  secretary, 
oversees  118  information  security 
workers  in  Washington,  D.C.,  and 
Martinsburg,  WV. 

And  he  expects  that  number  to 
grow,  both  through  new  hires  and  by 
encouraging  current  employees  to 
earn  the  coveted  (ISC)2  credential: 

“Our  goal  is  to  have  more  than  100 
CISSPs  by  the  end  of  this  year.” 

Reached  between  assignments  early  one  morning,  the  veteran 
security  administrator  shared  his  thoughts  about  the  value  of 
(ISC)2  certification: 

Why  did  you  decide  to  obtain  (ISC)2  certification  yourself? 

In  terms  of  career  advancement,  I  can’t  imagine  not  having  this  cer¬ 
tification.  There  are  others,  but  none  is  as  meaningful.  This  is  the 
most  comprehensive,  the  most  widely  recognized.  There’s  no  better 
one  to  have.  I  believe  that  will  be  the  case  for  the  foreseeable  future. 

What  makes  the  (ISC)2  certification  so  desirable? 

Individuals  who  gravitate  toward  it  are  true  information  security 
professionals.  You  don’t  just  take  a  test,  although  the  test  itself  is 
impressive.  You  have  to  attest  to  a  certain  background,  a  certain 
number  of  years  of  specific  information  security  experience.  You 


have  to  sign  an  ethics  statement  about  your  behavior  as  an  informa¬ 
tion  security  professional.  Then  you  have  to  take  and  pass  the  test. 

Speaking  of  the  certification  exam,  just  how  tough  is  it? 

When  I  took  it,  when  I  first  cracked  the  book  and  saw  the  questions, 
I  thought  I  had  walked  into  the  wrong  room.  It  is  a  mental  workout. 
After  it  ended,  I  was  shot  for  the  next  day.  It’s  really  the  equivalent 
of  a  bar  exam  for  this  career.  And  it  is  comprehensive.  You  can’t  fake 
it.  You  really  have  to  know  your  ten  security  domains. 

As  an  employer,  how  do  you  view  (ISC)2  certification? 

Whenever  I  have  two  candidates  for  a  job  who  are  equal  in  all 
other  ways,  if  one  has  the  CISSP,  that’s  who  I  hire.  When  you  hire 
a  CISSP,  you  know  that  that  person  has  a  base  level  of  knowledge 
in  the  field  that  you  can  draw  on.  The  uncertainty  has  gone  away. 

What  do  you  expect  of  an  (ISC)2-certified  employee? 

I  expect  the  person  to  be  a  thought  leader,  an  innovator,  someone 
who  knows  their  stuff.  This  is  a  person  I  can  go  to  for  the  hardest 
jobs  in  this  field,  and  I  can  expect  top-quality  work. 

What  do  you  think  about  (ISC)2’s  new  offerings, 
designed  to  support  security  professionals  at  every  point 
on  their  career  paths? 

The  Associate  level  is  a  good  idea.  It’s  good  to  get  younger  indi¬ 
viduals  into  the  workforce  to  replace  people  who  retire.  If  we  get 
an  Associate-level  person  here,  we  might  be  able  to  help  them  get 
to  the  next  level.  The  expert  specialty  areas  are  good,  too.  Any¬ 
thing  they  can  do  to  enrich  the  certification  is  valuable.  ■ 


Step  1  Entry  Level 

For  those  just  starting  out,  there’s  the  new 
Associate  of  (ISC)2  program.  This  status  is 
available  to  new  security  professionals— 
typically  recent  college  graduates — who 
can  pass  the  CISSP  or  SSCP  exams,  sub¬ 
scribe  to  the  (ISC)2  Code  of  Ethics,  but 
lack  the  requisite  experience  for  full  certi¬ 
fication.  For  the  first  time,  the  initiative 
allows  the  (ISC)2  to  provide  support  to 
practitioners  early  in  their  careers.  “Once 
you  pass  the  exam,  you  have  access  to 
(ISC)2  resources— the  Web  site,  peer  net¬ 


working,  information  to  help  you  get  used 
to  the  Code  of  Ethics  and  other  profes¬ 
sional  aspects  of  the  career,”  says  (ISC)2’s 
Williamson. 

Step  2  Professional  Level 

Mid-career  professionals  can  continue  to 
benefit  from  the  (ISC)2’s  best-known 
offerings,  the  CISSP  and  SSCP. 

Step  3  Specialty  Level 

Established  pros  who  already  hold 
CISSP  certification  can  take  the  next 


step,  establishing  expertise  in  several 
advanced  specialty  areas  called  Con¬ 
centrations.  (Think  of  it  as  a  graduate 
school  course  of  study.)  Options  include: 
■  The  Information  Systems  Security 
Architecture  Professional  (ISSAPCM). 
This  concentration  validates  extensive 
knowledge  in  access  control,  telecom¬ 
munications  and  network  security,  cryp¬ 
tography,  requirements  analysis  and 
security  standards  criteria,  business  con¬ 
tinuity  and  disaster-recovery  planning, 
and  physical  security  integration. 


“The  new  concentrations  increase  the  ability  ot 
information  security  personnel  to  balance  business  issues, 

further  develop  expertise  in  security,  and  keep 

up  to  date  with  trends  in  the  industry.” 

-Kevin  Henry,  (ISC)2  Institute,  director,  program  development 


<3  > 


CIO  ADVERTISING  SUPPLEMENT 


■  The  Information  Systems  Security 
Engineering  Professional  (ISSEPCM). 

This  concentration,  developed  as  a  joint 
effort  with  the  U.S.  National  Security 
Agency  (NSA),  validates  extensive 
knowledge  of  the  unique  information- 
protection  needs.  The  ISSEP  exam 
focuses  on  systems  security  engineering, 
certification  and  accreditation,  technical 
management,  and  U.S.  government  in¬ 
formation  regulations. 

■  The  Information  Systems  Security 
Management  Professional  (ISSMPCM). 
This  concentration  validates  extensive 
knowledge  in  enterprise-wide  security 
management  and  development:  oversee¬ 
ing  of  operations  security  compliance; 
business  continuity  and  disaster-recovery 
planning;  and  law,  investigation,  forensics 
and  ethics. 

(ISC)2  expects  to  offer  concentrations 
for  the  SSCP  credential  soon. 

By  expanding  its  credentialing  options 
to  cover  the  whole  career  spectrum, 
(ISC)2  expects  to  recognize  its  50,000th 
security  professional  by  2006.  “These 
options  allow  people  to  establish  a  career 


path,  a  plan  of  where  they  want  to  go,” 
says  Forrester  Research’s  Rasmussen. 
Employers  benefit  as  well,  says  Kevin 
Henry,  (ISC)2  Institute,  director,  program 
development.  “In  today’s  economy,  near¬ 
ly  every  business  relies  on  a  solid,  stable 
and  secure  infrastructure  to  operate  effi¬ 
ciently  and  competitively,”  says  Henry, 
who  holds  both  CISSP  and  SSCP  creden¬ 
tials.  “The  new  concentrations  increase 
the  ability  of  information  security  per¬ 
sonnel  to  balance  business  issues,  further 
develop  expertise  in  security  and  keep 
up-to-date  with  trends  in  the  industry.” 

Meanwhile,  organization  officials  em¬ 
phasize,  achieving  any  (ISC)2  certification 
is  a  beginning,  rather  than  an  end.  All 
CISSPs  and  SSCPs  must  re-certify  every 
three  years,  providing  evidence  that  they’ve 
stayed  abreast  of  new  developments  in  their 
constantly  changing  field.  (ISC)2  provides 
plenty  of  study  aids  and  training  courses  to 
help  security  specialists  gain,  keep  and 


enhance  their  professional  credentials  (for 
more  information,  visit  www.isc2.org). 

The  ROI  of  Security 
Certification 

Is  certification  worth  the  effort?  Ab¬ 
solutely— for  all  parties  involved. 

For  job-hunters,  (ISC)2  credentials  can 
tip  the  balance,  especially  in  a  tough  econ¬ 
omy.  “About  three  years  ago,  we  began  see¬ 
ing  ‘CISSP  Preferred'  in  ‘Help  Wanted’ 
ads,”  says  the  (ISC)2’s  Williamson.  “Now 
we’re  beginning  to  see  some  of  them 
requiring  that  designation.”  Among  those 
who  look  for  (ISC)2  certification  is  Bruce 
A.  Brody,  Associate  Deputy  Assistant 
Secretary  for  Cyber  and  Information 
Security  at  the  U.S.  Department  of  Vet¬ 
erans  Affairs  in  Washington,  D.C.,  who 
prefers  to  hire  and  promote  certified 
employees  (see  “Employer  Perspective,” 
page  3).  The  VA,  among  other  organiza¬ 
tions,  gives  monetary  bonuses  to  employees 
who  achieve  CISSP  certification. 

For  employers,  information  security  has 
become  more  critical  than  ever,  thanks  to 
increased  regulation  and  concents  about 
cyberterrorism.  “Executives 
and  boards  of  directors  have 
woken  up  to  the  fact  that 
they  could  be  held  liable”  for 
failing  to  adequately  protect 
sensitive  data,  says  Forrester 
Research’s  Rasmussen. 

In  addition,  for  most  employers,  hiring 
people  with  demonstrable  state-of-the-art 
skills  is  key  to  the  corporate  security  strat¬ 
egy.  “We're  creating  an  environment 
where  employers  know  what  they’re  get¬ 
ting  when  they  hire  an  information  securi¬ 
ty  worker  with  (ISC)2  credentials,”  says 
Williamson.  “They  know  that  person  has 
passed  a  comprehensive  exam,  keeps  up- 
to-date  on  the  latest  developments  in  the 
field  through  continuing  education,  and  is 
adhering  to  a  strict  Code  of  Ethics.” 

The  ethical  edge  is  particularly  important 
in  an  era  of  ever-escalating  concerns  about 
human,  as  well  as  technical,  integrity.  Put 
another  way:  Security  is,  at  its  heart,  a  peo¬ 
ple  issue.  By  placing  a  high  value  on  per¬ 
sonal  conduct  as  well  as  technical  expertise, 
(ISC)2  raises  the  bar  for  everyone  involved 
in  information  security.  After  all,  as 
Williamson  notes:  “Trust  is  the  ultimate 
firewall.  It  is  the  real  essence  of  rela¬ 
tionships  in  the  networked  world.”  ■ 


balance,  especial 
in  a  tough  economy. 


hor  job-hunters, 

i2  credentials  can 


(ISC)2®  Glossary 

Here  are  at-a-glance 
definitions  of  key  (ISC)2 
acronyms  and  terms: 

Associate  of  (ISC)2:  Status  for 
entry-level  security  practitioners  who 
lack  the  requisite  years  of  experi¬ 
ence  for  full  certification.  Available 
to  those  who  can  pass  CISSP  or  SSCP 
exams  and  subscribe  to  the  (ISC)2 
Code  of  Ethics. 

CBK™:  Compilation  of  security  best 
practices  organized  into  domains  for 
each  area  of  study,  constantly 
updated  since  (ISC)2’s  1989  incep¬ 
tion.  Questions  for  all  (ISC)2  exams 
are  drawn  from  the  CBK. 

CISSP®  (Certified  Information 
Systems  Security  Professional): 

(ISC)2’s  flagship  offering,  the  "gold 
standard"  of  certification,  awarded 
to  professionals  with  four  years  of  rel¬ 
evant  experience,  passing  grades  on 
a  250-question  exam,  and  willing  to 
subscribe  to  a  strict  Code  of  Ethics. 
Primarily  for  security  strategists. 

ISSAPcm  (Information  Systems 
Security  Architecture 
Professional):  Concentration  lead¬ 
ing  to  certification  for  CISSPs  who  can 
demonstrate  advanced  expertise  in 
access,  integration,  and  other  infor¬ 
mation  security  architectural  issues. 

ISSEPcm  (Information  Systems 
Security  Engineering 
Professional):  Concentration  lead¬ 
ing  to  certification  for  CISSPs  who 
can  demonstrate  advanced  exper¬ 
tise  in  systems  security  engineering 
and  management,  especially  for  U.S. 
government  agencies. 

ISSMPcm  (Information  Systems 
Security  Management 
Professional):  Concentration  lead¬ 
ing  to  certification  for  CISSPs  who  can 
demonstrate  advanced  expertise  in 
enterprise-wide  security  development 
and  operations,  including  continuity, 
disaster  planning,  and  other  areas. 

SSCP°  (Systems  Security  Certified 
Practitioner):  Certification  for  infor¬ 
mation  security  professionals  in  tech¬ 
nical,  rather  than  management, 
roles,  such  as  systems  administrators 
and  network  managers.  Awarded  to 
professionals  with  one  year  of  rele¬ 
vant  experience,  passing  grades  on 
a  125-question  exam,  and  willing  to 
subscribe  to  a  strict  Code  of  Ethics. 
Primarily  for  security  tacticians. 


‘The  Select  Member  CIO 
you  put  me  in  touch  with 
was  knowledgeable, 
forthcoming  and  extremely 
helpful.  His  shop  and 
ours  have  much  in  common. 
The  call  was  excellent!” 


-CIO  of  a  $7  billion 
insurance  company 


‘I  am  getting  tremendous 
value  out  of  the  board-level 
presentations  I  have  down¬ 
loaded  from  Select.” 


-CIO  of  a  $3  billion 
manufacturer 


CIO 


The  Resource  for 
Information  Executives 


BENEFIT  FROM  THE  EXPERIENCE  OF  YOUR 
PEERS -JOIN  CIO  SELECT. 


CIO  Select  is  an  exclusive 
networking  program  that 
helps  CIOs  share  ideas, 
documents  and  advice. 


Membership  in  CIO  Select  is  reserved  for  CIOs 
of  midsize  to  large  organizations. 


ClOSelect 


AN  EXCLUSIVE  PEER  SERVICE  FOR  CIOs 


For  Information  and  Membership  Pricing 

Contact  Martha  Heller,  Director,  CIO  Sele 
at  508.988.6738  or  mhel  ler@do.com  or 
via  www.cio.com/community/selecthtr 


Robert  Liscouski  On... 


GOVERNMENT  Robert 
Liscouski  is  the  assistant 
secretary  of  the  Infrastructure 
Protection  and  National  Cyber 
Security  Division  in  the 
Department  of  Homeland 
Security  (DHS).  When 
Liscouski  visited  CSO  this 
summer,  we  got  his  views  on 
some  of  the  challenges  facing 
the  DHS. 

Liscouski  on... 

Cybersecurity  regulation: 

“We  want  to  secure  cyberspace 
in  the  absence  of  regulation. 
Frankly,  you  can  argue  that 
regulation  doesn’t  work.  If  we 
can  use  certification  to  improve 
security,  if  we  involve  the  risk 


management  industry,  if  we 
incentivize  industry  to  be  more 
secure,  we’ll  be  better  off  than 
we  would  be  with  regulation.” 

Software  quality:  “We  have 
to  have  less  tolerance  for  prom¬ 
ises  and  more  measures  of 
performance.  I  don’t  care  how 
we  motivate  software  compa¬ 
nies,  but  they  have  to  improve 
quality.  Unfortunately,  a  lot  of 
bad  software  development 
came  from  market  demand. 
Now  the  market  has  to 
demand  quality.  I  think  it  will. 
The  mystery  behind  software 
development  is  going  away.  At 
the  same  time,  the  value  of  the 


technology  is  revealed.  If  it’s  as 
valuable  as  it  appears,  we  have 
no  choice  but  to  improve  it.” 

Color-coded  terror  alerts: 

“It’s  a  less  than  perfect  system. 
It  needs  to  be  more  specific  by 
sector  or  region.  The  alerts 
were  never  supposed  to  be 
news  on  CNN  every  time  they 
changed.  What  I’d  like  to  see  is 
for  us  to  systemically  reach  a 
hardened  level,  where  we  don’t 
need  a  color  system.  We  should 
be  protected  every  day  as  if  we 
were  at  Orange  Alert.” 

-Scott  Berinato 


JJnsure 


What  is  the  best  way  to  achieve  critical 

.’•S  • 

infrastructure  protection? 


compliance 


A  REAL-LIFE  CASE  FOR  REGULATION 


The  Day  the  Lights  Went  Out 

On  Thursday,  Aug.  14,  the  lights  went  out  in  Cleveland, 
Detroit,  New  York  City  and  Ontario,  Canada.  Thousands  of 
people  navigated  dark  city  streets  and  subway  tunnels.  In 
Cleveland,  where  the  electricity  pumps  the  lakes,  these 
same  folks  went  without  a  drop  of  water  during  one  of  the 
hottest  days  of  the  summer.  Not  fun.  We  polled  readers  to 
find  out  how  the  blackout  affected  their  businesses,  and  382 
of  you  responded.  Half  of  you  think  the  government  must 
take  a  stronger  hand  in  regulating  the  electric  industry. 

To  view  the  entire  survey,  find  it  online  at  www.csoonline 
.com/printlinks.  Here's  where  you  think  the  fault  and  the 
solution  lie.  -Kathleen  Carr 


The  government 
should  expand 
oversight  of  the 
electric  industry 


What  was  the  root  cause  of  August's  power  failure? 

14% 


33% 

Out-of-date 

systems 


11%  M 

Other  V  ^ 

6% 

Transmission  ^ 
problems 

4% —  A 

Sabotage  / 


15% 

Technical 

malfunction 


6%  /  ■ 

Confluence  of  11% 

events  Human  error 


Moneyfor  Nothing? 

CYBERINSURANCE  Cyber¬ 
insurance  may  be  the  hot  product  in  the 
insurance  industry  now,  but  many  CSOs 
are  wondering  whether  it’s  worth  the 
money.  Most  reputable  insurers  now 
require  that  policyholders  undergo  a 
security  assessment  of  their  IT  assets  by 
a  managed  security  services  provider 
(MSSP).  “We  want  a  tangible  sense  of 
what  you’re  doing  in  terms  of  putting  in 
intrusion  detection  systems,  firewalls 
and  business  continuity  planning,”  says 
Peter  Foster,  senior  vice  president  of  the 
risk  practice  at  Marsh. 

MSSP’s  consultants  will  analyze  and 
measure  a  company’s  level  of  IT  security 
against  some  objective  standard,  usually 
the  International  Standards  Organization 
17799  or  British  7799  standards.  While 
total  adherence  to  those  standards  isn’t 
expected,  companies  that  measure  up 
will  get  discounted  premiums  and  better 
terms  on  their  policies,  says  Ty  Sagalow, 
COO  and  executive  vice  president  at 
American  International  Group  eBusiness 
Risk  Solutions.  In  addition,  companies 
that  outsource  security  services  to  an 
MSSP  can  receive  discounts  on  their  pre¬ 
miums,  according  to  both  Sagalow  and 
Foster.  Marsh  offers  customers  using  an 
MSSP  a  discount  of  up  to  20  percent  on 
their  annual  premiums,  which  range  from 
$7,000  to  $25,000  per  year  for  each  mil¬ 
lion  dollars  of  coverage,  Foster  says.  With 
costs  that  high,  any  reduction  in  premi¬ 
ums  can  make  a  huge  difference  to  a 
company’s  cost  of  business,  which  is 
spurring  interest  in  MSSPs,  according  to 
Paul  Brady,  president  and  COO  of 
Guardent. 

But  cyberinsurance  is  still  a  tough 
sell  for  most  companies  when  weighed 
against  the  costs  of  acquiring  it,  says 
John  Pescatore,  research  director  at 
Gartner.  “The  problem  is  that  it’s  hard  to 
define  the  benefits  of  cyberinsurance, 
but  the  terms  of  cyberinsurance  policies 
are  expensive,”  he  says. 

Attitudes  and  buying  behavior  might 
change  if  large  corporations  and  procur¬ 
ers,  such  as  the  federal  government, 
began  requiring  suppliers  to  have 
cyberinsurance,  Pescatore  says. 

- Paul  Roberts 


18  www.csoonline.com  October  2003 


PHOTO  BY  AP/WIDE  WORLD  PHOTOS 


Eliminate  80°/  of  time  spent  resolving  problems 
Solve  50°/  of  downtime  causes 
Empower  higher  IT  productivity 


A  New  School  of  Thought 

What’s  good  for  security  is  good  for  operations. 


Tripwire®  reduces  operational  risk  and  ensures  the  security 
and  availability  of  your  networks.  By  immediately  detecting 
and  pinpointing  change,  Tripwire  provides  stretched  IT  staffs 
with  increased  visibility  and  control.  The  result?  A  high  level 
of  security  and  complete  confidence  in  the  integrity  of  IT 
operations  across  the  enterprise. 

Tripwire  is  the  only  way  to  have  1 00%  confidence 
that  systems  remain  uncompromised. 

The  Integrity  Assurance  Company. 


FREE  30-day  fully-functional  demo  & 

White  paper  “What’s  Good  for  Operations  is  Good  for  Security”, 

Call  1 -800-TRIPWIRE  (874.7947)  or 
Visit  http://cso.tripwire.com  today! 


©  Copyright  2003.  Tripwire  and  the  Tripwire  logo  are  registered  trademarks  of  Tripwire.  Inc. 


CSI  for  CSOs 

Q&A  Cybersleuth  Joan  Feldman  reads 
other  people's  mail  for  a  living.  As  president 
of  Computer  Forensics,  she  and  her  team 
collect  and  analyze  electronic  data  that  will 
be  used  as  evidence  in  civil  litigation  cases. 
We  spoke  to  her  recently  about  the  current 
state  of  forensic  investigation  and  how  CSOs 
can  best  protect  their  companies. 

CSO:  How  has  the  role  of  cyberevidence 
changed? 

Feldman:  What  has  happened  through  use 
of  computers— particularly  for  e-mail— is 
that  many  conversations  that  once  were  just 
hearsay  because  they  took  place  on  the 
phone  or  face-to-face  are  recorded  and 
therefore  admissible  as  evidence.  Lots  of 
people  don't  really  think  about  this,  including 
CSOs  who  have  never  been  involved  in  litiga¬ 
tion.  When  I  started  in  this  industry  12  years 
ago,  it  wasn’t  routine  for  people  to  ask  for 
e-mail  or  computer-based  information  in 
litigation,  they  would  just  ask  for  the  con¬ 
tents  of  a  file  cabinet.  Technology  has  in 
many  ways  outstripped  the  control  of  the 
corporation.  There’s  now  a  tsunami  of  evi¬ 
dence  that’s  created  all  day  long  by  busi¬ 
nesses  and  public  agencies— and  how  it’s 
gathered  and  used  is  important  for  people 
to  understand.  Any  company  involved  in 
litigation  will  have  to  identify  where  the 
responsive  evidence  is;  it’s  the  organization's 
burden  and  duty  under  civil  discovery.  And 
if  your  company  hasn’t  been  sued  yet, 
your  day  is  coming. 


What  is  the  cost  of  a  forensic  investigation? 

The  average  cost  to  make  an  evidentiary 
copy  of  a  hard  drive  and  lift  the  entire  con¬ 
tents  runs  about  $2,000.  It  involves  the  use 
of  forensic  software  to  create  a  tamperproof 
copy  and  an  audit  trail.  The  cost  of  a  review 
once  the  copy  has  been  created  can  be 
anywhere  from  $1,500  to  $3,000. 

How  have  the  government  and  the  legal 
system  approached  the  issue  of  forensics? 

The  issue  of  privacy  has  been  raised  now 
that  companies  have  awakened  to  the  fact 
that  they  can  take  a  closer  look  at  employee 
activity.  3ome  legislatures  have  [tried  to 
enact  measures  to]  protect  employees  but 
haven’t  been  successful.  The  closest  was  in 
California,  where  legislators  vetoed  a  bill 
that  would  offer  some  protection.  As  citizens, 
we  have  some  protection  from  phone  taps. 
But  as  employees,  we  don’t  have  much 
protection  from  employers  “listening  in” 


on  e-mail  conversations.  I  think  unified 
messaging  will  tip  the  scale.  When  people 
start  leaving  voice  mail  on  the  same  server 
where  they  leave  e-mail,  it’ll  be  hard  to  col¬ 
lect  and  review  the  messages  in  proprietary 
and  separate  systems.  When  you  leave  a 
voice  mail,  you  have  made  a  tacit  agreement 
to  have  it  recorded.  As  unified  messaging 
becomes  more  routine,  it’ll  be  shocking 
enough  to  [raise]  the  whole  issue  about 
what  employers  can  look  at  and  listen  to. 

What  can  a  CSO  do  to  make  sure  his 
company  doesn’t  get  burned  by  something 
turned  up  in  a  forensic  investigation? 

Often  [CSOs  are]  penny-wise  and  pound- 
foolish.  They  don’t  want  to  expand  server 
capacity.  Instead,  they  tell  people  to  reduce 
the  volume  of  e-mails.  But  users  need  to 
understand  why  they  can’t  save  everything. 
You  need  to  educate  them  about  retention, 
about  the  liability  involved  with  large  storage 
of  e-mail  and  institute  regular  purging  sched¬ 
ules.  It’s  technology  in  conjunction  with  pol¬ 
icy  and  education.  [It  requires]  coordination 
between  the  general  counsel  and  IS  to  avoid 
getting  buried  in  huge  litigation  costs.  For 
example,  the  biggest  ticket  item  of  all  in  an 
investigation  would  be  uncovering  an  e-mail 
from  a  manager  that  said,  “We  can  save  a  lot 
of  money  if  everyone  older  than  48  gets  laid 
off.”  All  you  need  is  that  one  pinhead  com¬ 
ment.  It’s  thoughtless,  and  it's  recorded,  and 
it’s  stuck  out  there  like  a  bug  in  amber.  Com¬ 
panies  can  take  some  basic  steps  by  organiz¬ 
ing  file  cleanup  and  e-mail  purging— just 
make  sure  you're  not  already  under  a  sub¬ 
poena  or  you'll  look  like  Arthur  Andersen.  ■ 


-FBI  SPECIAL  AGENT  ROBERT  HAWK  IN  CLEVELAND  AFTER  THE  RECENT  BLACKOUT 


THE  FEZ  HUNG  OUT  TO  DRY 


20  www.csoonline.com  October  2003 


Ruthenex" 


Strong  Authentication 


Affordable  Strong  e-Security 


More  e-Security 
for  Less  Money 


Pay  2/3  less  for  strong  (two-factor)  authentication 
Use  the  same  A-Key™  for  an  optional  suite  of  strong 
e-security 


Strong  Authentication 

Web  Access  Control 


File/Folder/HO  Encryption 
Secure  File  Exchange 
Digital  Cert  Storage 


You  get  strong  authentication  more  versatile  than  that  provided  by 
the  industry  leader,  for  1/3  the  price.*  Plus,  you  can  use  the  same 
A-Key  token  for:  web  access  control,  128-Bit  AES  encryption  for 
files/hard  disk/folders,  secure  file  exchange,  and  storage  for  digital 
certificates.  You  save  even  further  through  ease  of  deployment  and 
management. 


*  Price  comparison  and  token  prices  are  approximated  based  on  average  per  token  retail  price  of  RSA  SecurlD  tokens  (in  25  pack  of  5  year  tokens) 
randomly  surveyed  from  internet  retailers  on  May  13,  2003,  and  the  average  per  token  retail  price  of  Authenex  A-Key  tokens  (in  25  pack  of  tokens)  as  of 
May  1 3, 2003.  Prices  are  for  tokens  only  and  do  not  include  related  software.  Prices  may  be  subject  to  change  without  notice. 


**  Certain  terms  and  conditions  may  apply. 


Get  Your  FREE  A-Key  Today" 

on  the  web  at  www.authenex.com  or  call  us  at  1.877.AUTHENEX 


networkengines 


Microsoft 

CERTIFIED 

Partner 


Authenex  ASAS  and  other  Authenex  Enterprise  products 
are  now  available  as  stand-alone  appliances  through 
Network  Engines™ 


©  2003,  Authenex,  Inc,  All  Rights  Reserved.  Authenex.  A-Key  and  associated  logos  are  trademarks  of  Authenex, 
Inc.  All  other  registered  and  unregistered  trademarks  In  this  document  are  the  sote  property  ot  their  respective 
owners. 


Top  Billing 


NEWS  FROM  INSIDE  THE  BELTWAY 


The  Market  of  the  Future 

Futures  markets  have  been  used  to  successfully  predict  elections  and 
sporting  events,  so  why  not  terrorism?  By  Julie  Hanson 


HEN  THE  PRESS 
caught  wind  of  the  Pentagon’s  proposed 
FutureMAP  initiative  (also  known  as  the  ter¬ 
rorism  futures  market),  an  initiative  that 
would  create  an  online  site  where  members 
could  bet  cash  on  when  and  where  they 
thought  terrorist  attacks 
would  occur,  the  program 
was  quickly  squashed.  Mem¬ 
bers  of  Congress,  such  as 
Sen.  Patou  Dorgan  of  North 
Dakota  and  Sen.  Ron  Wyden 
of  Oregon,  chimed  in  to  label 
the  idea  “unbelievably  stu¬ 
pid.”  Terrorism  might  be  a 
tasteless  application  of  the 
idea,  but  futures  markets 
have  been  used  to  success¬ 
fully  predict  both  elections 
and  sporting  events.  Econo¬ 
mists  see  them  as  having 
tremendous  potential  to  measure  the  likeli¬ 
hood  of  future  events. 

The  concept  behind  an  online  futures  mar¬ 
ket  is  as  follows:  Participants  select  an  event 
they  want  to  bid  on.  Wagerers  who  agree  that 
this  event  will  happen  purchase  contracts. 
The  more  contracts  they  buy,  the  more  they 
agree  with  the  events’  occurrence.  The  Penta¬ 
gon’s  Defense  Advanced  Research  Projects 
Agency,  or  DARPA,  regarded  this  as  a  way  to 
gather  opinions  from  a  variety  of  people 
around  the  world. 

Eric  Zitzewitz,  assistant  professor  of  eco¬ 
nomics  at  Stanford  Graduate  School  of  Busi¬ 
ness,  believes  these  markets  can  be  powerful 
because  of  their  ability  to  aggregate  random 
bits  of  information  in  one  location.  But 
Michael  Salinger,  professor  and  chairman  of 
the  department  of  finance  and  economics  at 
Boston  University,  is  not  sold  on  the  idea. 
Salinger  thinks  that  if  a  person  has  any  inside 


knowledge,  he  would  be  foolish  to  trade  it  in 
a  public  area,  especially  if  being  the  owner  of 
that  information  could  jeopardize  one’s 
career— or  in  the  case  of  terrorism,  one’s  life. 

A  success  story  for  the  predictive  power  of 
online  futures  markets  is  TradeSports.com,  a 
Dublin,  Ireland-based 
online  trading  exchange. 
TradeSports.com  CEO 
John  Delaney  calls  his 
market  a  person-to-per¬ 
son  trading  exchange.  Its 
21,000  members  can 
trade  contracts  on  the 
occurrence  of  a  wide 
range  of  events.  Currently, 
there  are  more  than  1,200 
contracts  on  Trade- 
Sports. com,  including  the 
outcome  of  major  league 
baseball  and  NFL  games, 
but  also  the  capture  of  Osama  bin  Laden  and 
the  likelihood  that  the  U.S.  terrorism  threat 
level  will  hit  red  by  December  2003.  Delaney 
has  lots  of  confidence  that  his  members  can 
help  predict  the  future.  “Our  belief  is  that  a 
real  money  opinion  poll  more  often  than  not 
will  get  better  information  than  a  simple  poll 
where  people  don’t  have  any  financial  inter¬ 
est,”  says  Delaney. 

Online  futures  markets  may  not  be  a 
scientific  sure  bet,  but  it’s  hard  to  imagine 
that  when  it  comes  to  predicting  terrorism 
there  will  ever  be  surety.  Perhaps  glancing 
over  what  members  of  these  markets  are 
predicting  isn’t  such  a  bad  idea.  ■ 

News  from  Washington 

To  read  more  about  what’s  happening  in  Washington,  D.C., 
visit  our  website. 


www.csoontine.com/wonk 


Ten  states— California,  Florida,  Illinois, 
Kansas,  Michigan,  Nevada,  South  Car¬ 
olina,  Tennessee,  Texas  and  Virginia — 
have  enacted  new  laws  that  give 
broader  authority  to  law  enforce¬ 
ment  officials  to  investigate 
potential  cyberthreats  and  to  create 
new  definitions  for  criminal  activity, 
according  to  the  National  Conference  of 
State  Legislatures.  All  50  states  now 
have  homeland  security  offices. 

A  Massachusetts  District  Court  ruled 
that  Boston  College  and  MIT  do  not 
have  to  comply  with  Recording 
Industry  Association  of  America 
(RIAA)  subpoenas  demanding  that 
the  schools  reveal  the  identities  of 
students  believed  to  be  infringing  on 
copyrights  and  sharing  music.  The 
subpoenas  are  part  of  a  massive  effort 
on  the  part  of  the  RIAA  to  stop  peer-to- 
peer  sharing  of  music  files. 

The  House  Select  Committee  on 
Homeland  Security  will  examine 
how  power  outages  would  affect 
cyberterrorism  or  impede  critical 
infrastructure  protection,  according  to 
Committee  Chairman  Rep.  Christopher 
Cox  (R-Calif.).  The  committee  will  hold 
a  series  of  hearings  to  investigate  the 
vulnerability  of  our  nation’s  power  sup¬ 
ply  and  what  role  the  Department  of 
Homeland  Security  would  have  in  the 
case  of  nationwide  outages. 

Fifty-five  percent  of  respondents  to  a 
survey  conducted  by  the  Information 
Technology  Association  of  Amer¬ 
ica  said  they  themselves,  their  compa¬ 
nies  or  a  personal  contact  had  been 
directly  affected  by  the  Blaster  worm. 
Yet,  23  percent  said  they  do  not  regu¬ 
larly  download  software  upgrades  to 
prevent  attacks,  and  21  percent  said 
they  do  not  perform  routine  cyber¬ 
hygiene  tasks  such  as  updating 
antivirus  software  definitions. 


22  www.csoonline.com  October  2003 


PHOTO  TOP  BY  GETTYONE 


©  2003,  BearingPoint.  Inc.  All  rights  reserved. 


INCOME  STATEMENT 

For  thejear  ended  Dec.  $1,  2 008 


REVENUE 


I 


Total  Revenue 


EXPENSES 


Total  Expenses 


NET  INCOME 


MM 


mm 


In  the  future, you  have  no  earnings. 

You  have  no  margins. 

You  have  no  net  loss  or  net  gain. 

No  one  does. 

Because  the  future  hasn’t  happenedjet. 

It  is  a  white  canvas.  A  blank  sheet.  A  clean  slate. 
What  willjou  make  of  it? 


An  unbiased  business  advisor  and  systems  integrator  provides  you  with  the  right  advice  and  solutions 

WITH  YOUR  BEST  INTERESTS  IN  MIND.  TOGETHER,  WE  CAN  CREATE  THE  FUTURE.  VISIT  BEARINGPOINT.COM. 


CONSULTING  ♦  SYSTEMS  INTEGRATION  ♦  MANAGED  SERVICES 


BearingPoint 


Business  and  Systems  Aligned.  Business  Empowered. 


Security  Counsel 


Sarbanes,  Oxley 
and  You 

Fiona  Williams,  a  partner  at  Deloitte  &  Touche  who  is 
responsible  for  the  security  services  practice  for  North 
America,  answers  readers’  questions  about  the 
Sarbanes-Oxiey  Act 


Q:  What  do  you  see  as  the  most  direct  tie  between  Sarbanes-Oxiey  and  an 
organization’s  security  program? 

A:  There  are  several  links  between  Sarbanes-Oxiey  requirements  and  a 
company’s  security  program.  They  include:  ensuring  appropriate  awareness 
of  company  security  policies  and  commit¬ 
ment  by  management;  designing  and 
implementing  appropriate  security 
controls;  and  documenting  and  auditing 
security  policies,  and  making  sure  they  are 
understood  by  management  and  end  users. 

Q:  Sections  302  and  304  of  Sarbanes-Oxiey 
require  management  to  establish,  maintain 
and  report  “internal  controls”— but  the 
Securities  and  Exchange  Commission  has  not 
officially  defined  “internal  controls.”  Are 
there  specific  sections  on  information 
security  that  relate  to  internal  controls  under 
Sarbanes-Oxiey? 

A:  Section  404  mandates  that  each  annual 
report  contain  an  internal  control  report, 
which  must  state  the  responsibility  of  man¬ 
agement  for  establishing  and  maintaining 
an  adequate  internal  control  structure  and 
procedures  for  financial  reporting.  It  must  also  contain  an  assessment,  at  the 
end  of  the  issuer’s  most  recent  fiscal  year,  of  the  effectiveness  of  the  internal 
control  structure  and  procedures  for  financial  reporting.  The  auditor  must 
attest  to,  and  report  on,  the  assessment  made  by  the  management  of  the  issuer. 

Sarbanes-Oxiey  will  require  that  companies  implement  an  established 
internal  control  framework.  As  part  of  that  framework,  general  computer 
controls  will  need  to  be  implemented  and  documented.  Infosec  controls  are  a 
key  component  of  general  computer  controls;  without  them,  general  computer 
controls  and  overall  internal  controls  cannot  be  effective.  Therefore,  infosec 
controls  are  a  critical  component  to  ensure  an  effective  COSO-based  internal 
control  environment.  (Visit  www.coso.org  for  more  information  on  the 
committee.) 


Q:  What  elements  of  a  corporate  physical  security 
program  would  fall  under  Sarbanes-Oxiey?  For  example, 
does  Sarbanes-Oxiey  require  certain  levels  of  physical 
security  controls  in  a  data  center  or  similar  facility?  If 
yes,  under  what  section  does  this  reference  fall? 

A:  Physical  security  does  fall  under  the  Sarbanes-Oxiey 
requirements.  It  is  a  critical  component  of  the  infosec 
program  as  well  as  general  computer  controls.  It  falls 
within  sections  302  and  404,  which  require  that 
management  evaluate  and  assert  that  the  internal 
controls  are  operating  effectively. 

Q:  What  is  the  approach  and  process  to  implement 
Sarbanes-Oxiey  Act  Section  404?  Who  is  the  driver?  Is  it 
purely  a  group  audit  function?  What  is  the  role  of  IT? 

A:  The  process  for  implementing  Section  404  should 
include  project  management,  people,  process  and 
technology,  as  well  as  various  phases  of  implementation 
including  scope  and  plan;  assess  and  define;  identify 
and  document  controls;  perform  tests  and  remediate; 
and  monitor  and  certify. 

Management  should  be  the 
overall  driver  of  the  effort  and 
require  involvement  from  affected 
stakeholders.  Audit  should  not 
define  and  implement  the  control 
environment  but  may  be  involved 
in  monitoring  activities.  IT  will  be 
required  to  implement  the  auto¬ 
mated  aspects  of  internal  controls. 


Q:  I  have  heard  that  SEC  recom¬ 
mends  COSO  as  an  internal  control 
integrated  framework.  In  the  case  of 
physical  systems  securities,  such  as 
application  security  and  local  area 
network  security,  what  risk  assess¬ 
ment  procedures  should  an  IT 
department  take  to  ensure  that 
controls  are  in  place? 

A:  COSO  is  the  recommended 
internal  control  framework  that  companies  will 
implement.  It  requires  that  a  formal  risk  assessment 
be  performed  to  evaluate  the  internal  and  external 
factors  that  impact  an  organization’s  performance. 

The  results  of  the  risk  assessment  will  determine  the 
controls  that  need  to  be  implemented.  ■ 


Have  a  security  topic  to  suggest  or  an  expert  you’d  like  to 
hear  from?  Send  your  thoughts  to  Assistant  Managing 
Editor  Kathleen  Carr  at  kcarr  icxo.com.  See  what  your 
peers  are  discussing  at  www.csoonline.com/counsel. 


24  www.csoonline.com  October  2003 


PHOTO  BY  MARK  ROBERT  HALPER 


WINNER 


•  •  ■ 

Powerful 


IT  Troinina  & 


Certification 


Wireless  Network  Security  In  5  Days 
Professional  Hacking  In  5  days 
Computer  Forensics  In  5  Days 


MCSE  Security  In  14  Days 
Virtual  CISSP®  In  3  Days 
Check  Point  In  6  Days 
CCSP®  In  12  Days 
CISSP®  In  7  Days 


Improve  your 
Return  On  Investment. 
Ask  about  our  On-Site  Training  at  your  Facility. 


Windows  &  .Net  Magazine 
2003  Readers  Choice  Award 
Best  Boot  Camps  &  Best  Instructor  Led  Training! 

Microsoft 

■wwiwiiiwi  miinii  minnf  wmioiiw  C  E  R  T  I  F  I  E  D 

Partner 

Locations  in:  Ft.  Lauderdale,  FL  |  New  York  Metro  |  Columbus,  OH  |  San  Diego,  CA  |  Quebec.  QC  |  Las  Vegas,  NV  >' 
Washington.  DC  Metro  |  Atlanta.  GA  |  Dallas,  TX  |  San  Francisco,  CA  |  Chicago,  IL  |  Los  Angeles,  CA  |  Seattle,  Wl 

INTENSE  SCHOOL  -  8211  W.  BROWARD  BLVD  FORT  LAUDERDALE,  FL  33324  Ph.800-330-1446  WWW.intense 


CompTIA  GS^ 


Information  Syttetm  Security  Aaodation 


C»rlift*4  I  ilkico)  Nacktf 


5l/com 


Flashpoint 


Legal  Is  from  Mars, 
Security  Is  from 
Venus 

When  the  security  team  and  corporate  lawyers  get  together, 
it's  usually  a  rocky  relationship  By  David  H.  Holtzman 


AWYERS  AND  SECURITY  OFFICERS  make  for  poor  soul  mates.  The 
security  staff  gets  frustrated  by  the  perceived  pettiness  of  attorneys,  and  everyday 
security  activities  make  messes  that  lawyers  have  to  clean  up.  It’s  like  the  general 
counsel  (GC)  is  standing  in  a  grocery  store  with  a  mop,  watching  a  herd  of  sumo 
wrestlers  stampede  down  the  dairy  aisle  to  see  who  can  get  to  the  eggs  first. 

Every  action  that  the  CSO  takes  increases  the  risk  that  the  company  may  be 
sued.  If  organizations  monitor  client  data  to  scan  for  Trojan  horses  or  read 
employee  e-mail  to  enforce  acceptable-use  policies,  then  the  target  may  sue  them 
for  invasion  of  privacy.  If  companies  don’t  scan  client  data  and  an  avertable  dis¬ 
aster  happens,  then  they  could  get  sued  by  shareholders  or  even  by  the  government 
for  noncompliance  with  the  USA  Patriot  Act. 

The  nature  of  a  security  organization  is  to  protect  the  company  and  its  con¬ 
stituents  from  malicious  behavior.  The  department  rarely  has  the  authority  to  uni¬ 
laterally  dictate  policy,  so  a  major  part  of  the  job  is  evangelical— sensitizing  lay 
executives  to  the  evils  of  the  dark  side. 

The  worst  part  of  security  requests  is  that  they  leave  a  paper  trail.  Every  ignored 
recommendation  is  a  headache  for  the  GC  because  it  removes  plausible  deniability 
as  a  defense  and  raises  the  spector  of  big  damage  awards  from  a  jury. 

The  legal  department  usually  responds  to  this  with  one  of  two  strategies: 
publishing  exaggerated  risk  disclosures  or  collecting  signed  waivers  from  every 
entity  that  deals  with  the  company.  This  includes  strong-arming  employment 
agreements,  nondisclosure  agreements  and  invention  assignments  from  insid¬ 
ers,  as  well  as  neutralizing  customer  complaints  by  papering  caveats  on  every  flat 
product  surface.  That’s  why  if  you  read  the  fine  print,  cellular  services  don’t 
commit  to  connectivity,  antivirus  checkers  aren’t  promising  to  find  viruses  and 
operating  systems  say  that  they  may  not  operate.  Legalese  sanitizes  the  corpo¬ 
ration  by  discarding  vulnerabilities. 

The  domestic  squabbling  continues  even  if  the  sky  does  fall.  Security’s  impulse 
is  to  call  the  cops  because  it  wants  to  find  out  what  happened  in  order  to  prevent 
a  reoccurrence.  Legal  prefers  a  private  investigation  that  emphasizes  identifying 
the  culprits  and  the  victims,  so  it  can  sue  the  former  and  get  releases  from  the 
latter. 

Lawyers  look  at  the  present  but  argue  based  on  the  past  and  precedent.  Secu¬ 
rity  officers  argue  for  the  future  by  looking  at  the  present.  They’re  not  even  in  the 
same  mental  time  zone.  Legal  has  only  one  customer,  the  company.  Its  primary 


mission  is  to  limit  its  client’s  exposure.  Understanding  the 
legal  perspective  and  its  mission  of  reducing  exposure  to 
its  one  client,  the  company,  can  transform  the  CSO  into 
a  better  communicator  and  more  effective  manager. 

One  of  the  chief  strengths  of  lawyers  is  that  they’re 
interpersonally  simpatico  with  the  MBA  crowed.  When 
they  bring  up  a  problem  at  a  meeting,  you  can  be  sure 
they’ve  “socialized”  it  first.  Security  officers  can  adapt  this 
strategy  for  their  own  purposes  by  reviewing  their  pro¬ 
posed  policies  with  a  pseudo-legal  eye,  suggesting  caveats 
as  part  of  the  package,  and  ideally,  asking  legal  to  help 
with  the  wording. 

Like  vinegar  and  oil,  sharp  security  doesn’t  mix  well 
with  contractual  grease.  The  clashing  between  the  two  is 
not  only  distasteful  but  can  ultimately  neutralize  the 
security  guru  because  inevitably  he  will  lose.  The  smart 
and  sophisticated  CSO,  knowing  this,  will  take  the  best 
of  both  and  add  a  grain  of  salt.  ■ 

David  H.  Holtzman,  former  CTO  of  Network  Solutions,  also  worked  as  a 
cryptographic  analyst  with  the  U.S.  Navy  and  as  an  intelligence  analyst  at 
DEFSMAC.  He  can  be  reached  at  david^globalpov.com. 


26  www.csoonline.com  October  2003 


ILLUSTRATION  BY  STEPHANE  DENIS 


With  Entegra1 
you  know. 


Need  to  comply  with  regulatory  require¬ 
ments  for  data  privacy  and  security? 

Or  meet  internal  business  requirements 
and  policies?  Then  you  need  Entegra. 

Entegra  is  a  comprehensive  data 
integrity  solution  that  helps  your  enter¬ 
prise  address  compliance,  risk,  security, 
and  operations  requirements.  Know 
how  your  data  assets  are  being  used. 
Account  for  who’s  accessed  what  infor¬ 
mation  -  and  what  changes  were  made. 

Find  out  more.  Request  your  free 
white  paper,  " Data  Access 
Accountability  -  Who  Did  What  To 
Your  Data  When?"  by  visiting 

www.lumigent.com/go/cso. 

Or  call  us  at  1  866-LUMIGENT 

(1-866-586-4436). 


[uMiGeNt 

•  • 

•  • 

•  • 


Safeguarding  the  integrity  • 
and  availability  of  enterprise  data 


Copyright  ©  2003  Lumigent  Technologies.  Inc.  All  rights 
reserved.  Lumigent,  Entegra  and  the  Lumigent  Logo  are  trade¬ 
marks  or  registered  trademarks  of  Lumigent  Technologies,  Inc. 


e  come 


u  isC/Ornagazi 
from  leading  business,  g 


forward-looking 


CIO  role 


12—24  month  timeframe 


share  approaches 


oge 


major  trends  significant  impact 


coming 
nities  those  trends  prese 

mmmmamBMm 


Presented  by 


Sponsored  by 


COMPCIWARE, 


Satyam 

What  Business  Demands 


ZTSAVVIS 

The  Network  that  powers  Wall  Street * 


The  Resource  for 
Information  Executives 


CIO  1 04— a  CIO  Perspectives  Conference  www.cio.com/conferences  800.366.0246 

In  order  to  ensure  a  true  peer  group  experience,  attendees  must  meet  CIO  Executive  Programs’  qualifications. 


The  Year  Ahead 


Issues  ►  Ideas  ►  Impact 


What  are  our  vulnerabilities? 

What  are  our  options? 

A  hard  look  ahead  at  the  impact 
of  current  issues  &  trends. 

What  are  our  opportunities? 

What  are  our  peers  doing? 

November  2-4,  2003  JW  Marriott  Desert  Ridge  Resort  &  Spa,  Phoenix,  AZ  800.366.0246 


WHERE  WHEN  TO  APPLY 

JW  Marriott  Desert  Ridge  November  2-4, 2003  www.cio.com/conferences 

Resort  &  Spa,  Phoenix,  AZ  or  800.366.0246 


■IHI  Conference  Moderator 

pf®  JONATHAN  ZITTRAIN 

<  I  Co-Director  of  the  Berkman  Center  for 
B3HP  Internet  &  Society  and  Professor  at 
£  W'i  Harvard  Law  School 

The  Economy 

What’s  the  outlook?  What  domestic  and  foreign 
policies  are  helping  or  hurting?  And  what  about 
the  hard-hit  tech  sector?. 

Jobs  &  IT  People 

What  happens  when  all  the  baby  boomers  start 
retiring?  Does  the  younger  generation  really  look 
at  work  differently?  Why  is  there  so  little  diversity 
in  the  IT  ranks?  Is  offshore  outsourcing  leading  to 
the  extinction  of  most  domestic  IT  jobs?  Are  our 
schools  adequately  preparing  the  next  generation 
of  IT  and  business  workers? 

Law  &  Society 


much  security  and  privacy  is  enough?  Is  all  the 
talk  about  ethics  just  that?  Social  responsibility: 
can  business  do  well  by  also  doing  good 
—and  do  your  customers  care? 


Participants  include: 

Todd  Dagres 

General  Partner, 

Battery  Ventures 


Technology 

How  worried  should  you  be  about  vendor  consoli¬ 
dation?  What  are  the  major  cross-industry  busi¬ 
ness  concerns— and  what  solutions/initiatives  are 
getting  funded  in  the  near  term?  Should  you  fear 
the  RFIDs  in  your  future?  What  emerging  tech¬ 
nologies  are  venture  capitalists  betting  their 
money  on  now— and  why? 


Christopher  J.  Feola 

Vice  President,  Technology, 
Belo  Interactive 

Neil  Gershenfeld 

Director  of  the  Center  for 
Bits  and  Atoms,  and 
Director  of  the  Things 
That  Think  Research 
Consortium, 

MIT  Media  Labs 


Future  of  IT  (&  the  CIO) 

For  many  years,  CIOs  have  been  working  hard  to 
secure  a  place  at  the  top  management  table.  Now 
some  business  and  industry  gurus  say  IT  is  no 
longer  strategic:  it’s  just  becoming  a  commodity 
and  can’t  give  a  competitive  advantage.  Are  they 
right?  Should  CIOs  be  worried? 


Asiff  Hirji 

Executive  Vice  President  & 
CIO,  Ameritrade  Holding 
Corporation 

Michael  W.  Horrigan 

Assistant  Commissioner, 
Bureau  of  Labor  Statistics 


How  are  CIOs  coping  with  the  Patriot  Acts, 
Sarbanes-Oxley,  HIPAA,  and  other  legal  man¬ 
dates?  What  pending  legislation  is  bound  to 
_give  you  headaches  if  it  passes  into  law?  How 


And  we’ll  give  you  plenty  of  networking  opportunities,  starting 
with  the  CIO  Golf  Tournament  on  Sunday  morning,  receptions, 
special  small  working  groups  and  breakouts,  mealtimes, 
discussion  roundtables,  and  evening  hospitalities. 


■ 


— > 

0(2 

-  T**  T  eoJZ, 

‘  ^  ..J?  4  V?  -  £  ^ 

tr 


Bruce  P.  Keller 

Partner, 

Debevoise  &  Plimpton 

Erik  Lassila 

Partner, 

Clearstone  Ventures 

Christopher  Lindquist 

Technology  Editor, 

CIO  Magazine 

Abbie  Lundberg 

Editor  in  Chief, 

CIO  Magazine 

Roger  McNamee 

Co-founder  &  General 
Partner,  Integral  Capital 
Partners 

Mark  Polansky 

Managing  Director,  IT 
Practice, 

Korn/Ferry  International 

Sheleen  Quish 

Global  CIO  &  Vice  President 
of  Corporate  Marketing, 
United  States  Can  Company 

Nick  Sturiale 

Partner,  Sevin  Rosen  Funds 

Lester  Thurow 

Author  &  Management  and 
Economics  Professor,  MIT 


Cover  Story 


...  . .  ,.v  •  . 


The  biggest  challenge  for  Mohegan  Sun’s  security 
and  surveillance  team?  Catch  the  crooks  before 
they  leave  the  casino  with  the  loot. 

By  Daintry  Duffy 


In  the  wee  hours  of  a  Monday  morning,  four 

guys  sit  down  at  a  mini-baccarat  table  at  the  Mohegan  Sun  Casino  in 
Uncasville,  Conn.  They  are  unremarkable  in  their  appearance,  demeanor 

and  play.  But  their  luck  is  anything  but  ordinary.  In  a  matter  of  a  couple 

. 

hours,  they  ride  their  cards  to  a  six-figure  payout. 

It  could  be  chalked  up  to  staggering  good  fortune.  But  in  an  industry 

- 

where  the  odds  are  heavily  stacked  in  favor  of  the  house,  and  the  schemes 
and  scams  vary  from  the  legendary  to  the  ludicrous,  Dave  Todd  and  Jim  Friel 
have  learned  to  be  skeptical  when  Lady  Luck  pays  an  extended  call.  “Luck 
is  always  an  intricate  variable  when  trying  to  figure  out  if  someone  is  cheat- 

ing,  and  we  evaluate  their  play  to  make  that  determination,”  says  Todd,  who 

' 

is  vice  president  of  security  and  surveillance  for  the  casino.  “But  sometimes 

■  . 

we  watch  extremely  lucky  people,  and  they  really  are  just  that.  Lucky." 

, 


IN  THIS  STORY:  How  to 

keep  surveillance  low-key  in 
a  high-stakes  environment 
■  Learn  how  to  train 
security  staff  to  become 
integrated  into  the  business 


www.csoonline.com  October  2003 


Mohegan  Sun’s 
Dave  Todd  (left) 
and  Jim  Friel  know 
that  security  and 
surveillance  is  no 
game  at  the  world’s 
second-largest  casino. 


/ 

i  W&X  Smtii 

aPT-.-  ;■ 

/  l  i  isr  ,  MIJL  * 

^  1;  Klfgl 

Casino  Security 


In  the  case  of  the  mini-bac 
players,  there  was  reason  to 
believe  that  they  had  more  than 
just  a  well-worn  rabbit’s  foot 
working  in  their  favor.  “Some  peo¬ 
ple  were  of  the  opinion  that  these 
guys  were  lucky,  but  I  knew  some¬ 
thing  was  wrong,”  says  Friel, 

Mohegan's  director  of  surveil¬ 
lance.  A  couple  of  details  stood 
out  for  Todd  and  Friel  when  they 
arrived  Monday  and  learned 
about  the  previous  night’s  big  pay¬ 
out.  First,  the  win  had  occurred 
during  a  graveyard  shift,  the 
casino’s  12  a.m.  to  8  a.m.  shift, 
when  would-be  cheaters  assume 
there’s  a  light  surveillance  staff. 

Second,  the  players  had  refused 
the  free  Player’s  Club  cards  that 
allow  gamblers  to  rack  up  points 
toward  food,  merchandise  and 
entertainment  but  that  also 
require  a  valid  I.D.  for  enrollment. 

Still,  the  dealer,  floor  person  and 
pit  manager  noticed  nothing 
unusual  about  the  way  the  men  played.  Per¬ 
haps  they  were  no-frills  guys  out  for  a  late- 
night  gamble  and  didn’t  feel  like  getting 
bogged  down  in  paperwork  and  comps. 

Friel  didn’t  buy  it.  He  suspected  that  if  any¬ 
thing  untoward  had  happened,  it  was  likely  to 
have  occurred  during  the  shuffle.  In  mini-bac, 
eight  decks  of  cards  are  used  at  a  time,  and 
while  eight  decks  are  in  play,  another  eight 
decks  are  shuffled  in  a  large  glass-enclosed 
machine  to  the  side  of  the  dealer.  Friel  exam¬ 
ined  the  casino  surveillance  video. 

What  couldn’t  be  seen  with  the  naked  eye, 
Friel  could  see  unmistakably  through  the  cam¬ 
era’s  filtered  lens.  He  noticed  a  small  infrared 
beam  emanating  from  the  wrist  of  a  gentle¬ 
man  sitting  next  to  the  shuffle  machine,  illu¬ 
minating  the  cards  as  they  were  shuffled.  The 
man— who  to  the  casual  observer  was  simply 
a  player— was,  in  fact,  a  techno-sawy  grifter, 
recording  the  cards  with  a  high-speed  camera 
tucked  up  his  sleeve.  After  the  shuffle,  he  left 
the  casino  floor  to  review  the  film  and  give 
the  sequence  of  cards  to  the  players— his  four 
accomplices— who  then  played  the  next  round 
knowing  wiiether  the  banker’s  or  the  player’s 
hand  w^ould  win. 


For  Friel  and  Todd,  playing  detective  and 
piecing  together  all  the  aspects  of  a  scam  is 
usually  gratifying,  but  doing  so  almost  12 
hours  after  the  perps  have  decamped  with 
their  winnings  is  far  from  ideal. 

Then  again,  that’s  the  daily  challenge  for 
the  Mohegan  Sun  security  and  surveillance 
team.  The  technology,  procedures  and  train¬ 
ing  are  all  crafted  with  a  single  ambitious  goal: 
Don’t  just  catch  the  cheats— catch  them  while 
they’re  still  on  the  floor. 


oth  Todd  and  Friel  earned  their 
security  stripes  in  the  fast  lane- 
first  as  Philadelphia  cops  and  later 
on  the  casino  floors  of  Atlantic  City.  Swindlers 
and  cheaters  bank  on  the  knowledge  that  if 
they’re  fingered  by  casino  security,  it’s  a  quick 
sprint  to  the  doors  where  they  can  be  lost  in 
the  bustle  of  the  boardwalk  or  the  crowds  of 
another  casino.  “It  was  more  of  a  big  city 
atmosphere  where  people  intentionally  tried 
to  commit  thefts  and  were  more  resistant  to 
security,”  says  Todd,  comparing  Atlantic  City’s 
clientele  with  that  of  a  rural  Connecticut  set¬ 
ting.  Mohegan  Sun  attracts  few  hardened 
criminal  types.  The  opportunity  to  escape 


from  the  authorities  is  minimal— unless  pad¬ 
dling  away  on  the  nearby  river  Thames  can  be 
considered  an  option— and  Mohegan’s  tribal 
police  have  the  authority  to  close  down  reser¬ 
vation  roads  if  necessary. 

Todd  started  at  Harrah’s  and  moved  to 
Harrah’s  at  Trump  Plaza  casino  when  it 
opened  in  1984.  He  became  a  director  of  secu¬ 
rity  and  a  personal  bodyguard  for  Donald 
Trump,  coordinating  executive  protection 
details  for  The  Donald  and  the  numerous 
stars,  dignitaries  and  tycoons  wrho  drifted  in 
and  out  of  his  orbit.  Todd  also  managed  secu¬ 
rity  for  the  Trump  Plaza  casino  and  for  big 
arena  events  such  as  Mike  Tyson’s  heavy¬ 
weight  bouts  and  Rolling  Stones  concerts. 

Friel  worked  in  surveillance  down  the  strip 
at  Claridge  and  then  moved  to  the  Playboy 
casino  and  finally  over  to  Trump  Plaza,  where 
he  joined  Todd  as  the  director  of  surveillance. 

After  16  years  in  Atlantic  City,  Todd  couldn’t 
pass  up  the  opportunity  to  manage  security 
and  surveillance  for  Mohegan  Sun  when  it 
opened  in  1996,  and  he  brought  Friel  with  him 
to  continue  their  partnership.  Both  men  real¬ 
ized  from  the  outset  that  the  challenges  of  run¬ 
ning  security  at  the  sprawling  240-acre  casino 


32  www.csoonline.com  October  2003 


PHOTOGRAPHY  COURTESY  OF  MOHEGAN  SUN;  PHOTO  RIGHT  BY  JASON  GROW 


Sun’s  240-acre  casino  and 
resort  requires  more  than 
3,000  surveillance  cameras 
and  a  sizeable  security  staff. 


and  resort  would 
be  very  different 
from  their  previ¬ 
ous  assignments. 
Aside  from  the  different  environment,  Mohe- 
gan  Sun  is  also  the  second-largest  casino  in 
the  world  with  300,000  square  feet  of  gaming 
space  (only  its  Connecticut  neighbor  Foxwoods 
Casino  is  larger  with  an  additional  20,000 
square  feet).  The  sheer  sprawl  of  the  casino 
necessitates  an  enormous  surveillance  system 
with  more  than  3,000  cameras  and  a  sizeable 
security  staff,  including  450  full-time  security 
officers  working  three,  eight-hour  shifts  plus  10 
part-timers  and  an  additional  60  officers  on 
call. 

side  from  the  scale  of  the  chal¬ 
lenge,  Mohegan  Sun  also  requires  a 
different  approach  to  its  customers. 
Todd  takes  issue  with  the  cliche  that  casinos 
are  magnets  for  unsavory  individuals.  It  might 
get  its  share  of  cardsharps  and  pickpockets, 
but  most  crimes  that  occur  at  Mohegan  Sun 
are  what  he  refers  to  as  “thefts  of  opportu¬ 
nity.”  One  patron  steals  the  coins  that  another 
patron  inadvertently  leaves  at  a  slot  machine. 
It’s  criminal  behavior,  but  as  larcenies  go,  it’s 
hardly  egregious. 

Gambling  can  be  an  emotional  roller 


coaster— the  exhilaration  of  being 
up  $2,000  often  followed  by  the 
pain  of  losing  it  all  back  to  the 
house.  When  patrons  are  greeted 
with  a  smile,  it’s  good  marketing, 
and  it’s  also  a  form  of  preventive  security.  If 
gamblers  feel  put  off  or  ignored,  and  it’s 
combined  with  a  loss  on  the  casino  floor  or  a 
little  too  much  alcohol,  it  can  create  a  prob¬ 
lem.  “When  security  folks  ma,ke  eye  contact 
[with  customers]  and  treat  them  nicely,”  says 
Todd,  “it  sets  the  mood  for  the  day  and  makes 
people  come  back  because  it’s  a  friendly  and 
safe  place.” 

Atlantic  City’s  quasi-police  force  approach 
wouldn’t  work  with  Mohegan  Sun’s  family- 
oriented  setting.  Todd  wanted  a  kinder, 
gentler  security  force  that  would  still  maintain 
a  strong  presence.  The  result  is  the  blue- 
blazered  officers  that  stand  at  every  door  to 
greet  the  210,000  visitors  that  come  through 
the  casino  each  week.  They  make  eye  contact 
with  everybody  and  stay  watchful  for  known 
troublemakers  and  minors,  but  they’re  also 
quick  to  provide  directions  or  to  wish  a  patron 
luck  on  the  casino  floor.  It’s  an  approach  that 
Todd  compares  with  the  uber-bouncer  role 
in  the  movie  Road  House.  Todd  instructs  his 
security  officers,  “I  want  you  to  be  nice,  until 
it’s  time  to  not  be  nice.” 

Training  Mohegan’s  security  staff  to  rec¬ 
ognize  the  growing  list  of  scams  is  yet  another 
challenge  to  which  Todd  and  Friel  give  con¬ 
stant  attention.  Security  and  surveillance 
need  to  be  vigilant  for  everything  from  old- 


fashioned  distract-and-grab  teams  that  prey 
on  gamblers  to  more  sophisticated  cheats  that 
work  solo  at  the  slots,  pushing  mini-fiber- 
optic  lights  up  the  machine  to  blind  the  count¬ 
ing  optics  so  that  they  release  more  coins. 

But  because  security  pays  less  than  gaming, 
Todd  struggles  to  hold  on  to  his  staff.  Often 
young  people  start  out  in  security,  where  they 
receive  a  company  orientation  and  a  week  of 
security  training.  After  six  months,  they  move 
on  to  one  of  the  gaming  departments.  While 
it’s  frustrating  to  have  the  constant  turnover, 
it  is  conducive  to  building  security  awareness 
throughout  the  organization  as  employees 
with  security  backgrounds  disperse  among 
the  casino’s  various  departments. 

In  Friel’s  group,  the  pay  is  better  and  a 
basic  knowledge  of  cameras  and  surveillance 
is  preferred.  New  surveillance  staff  also  receive 
more  training,  attending  six  months  of  gam¬ 
ing  schooling  where  they  learn  all  the  games 
on  the  casino  floor.  The  goal  is  that  they 
should  know  each  game  as  well— or  better— 
than  the  dealers  and  the  players  in  order  to 
detect  inappropriate  behavior.  Once  they 
begin  work,  they  also  have  a  surveillance  coach 
who  works  with  them,  sharing  their  experi¬ 
ence  and  teaching  them  the  intricacies  of 
detecting  a  scam  underway.  Surveillance  staff 
can  never  transfer  to  another  position  within 
the  casino,  because  they  know  too  much  about 
where  all  the  cameras  are  located  and  the 
“tells”  that  surveillance  staff  look  for. 


he  security  stats  suggest  that 
considering  the  casino’s  level  of 
risk,  Todd’s  approach  has  been 
effective.  As  of  August  2003,  Mohegan  Sun 
has  had  57 6  total  arrests  since  it  opened.  The 


October  2003  www.csoonline.com  33 


Casino  Security 


r 


most  common  reasons  were  trespassing  by 
banned  individuals  (180),  breach  of  the  peace 
(136)  and  larceny  (118).  The  casino  has  had 
only  one  case  of  a  person  being  robbed. 

Todd  credits  some  of  that  success  to  the 
fact  that  security  and  surveillance  work  hand- 
in-hand  at  his  casino— a  situation  that  he  says 
is  not  the  norm  at  most  establishments.  Todd 
describes  the  relationship  that  often  exists 
between  the  two  departments  in  other  casinos 
as  being  hampered  by  “a  CIA  mentality,” 
where  information-sharing  between  depart¬ 
ments  is  poor  because  everyone  wants  to  be 
the  hero  who  gets  credit  for  busting  up  a  scam 
or  handling  a  security  problem.  Todd’s  posi¬ 
tion  uniquely  places  him  over  both  security 
and  surveillance,  and  his  office  and  Friel’s  are 
close  enough  that  hollering  out  a  question 
makes  more  sense  than  picking  up  a  phone. 
“Up  here,  we  get  tremendous  benefit  from 
working  together,”  says  Todd.  “Surveillance 
calls  security  right  away,  and  they  keep  in  con¬ 
stant  contact.  Nobody  stands  out  more  than 
anyone  else,  and  we  rise  and  fall  as  one  team.” 

On  the  resort,  there  are  three  different 
security  forces  that  must  all  work  side-by- 
side:  the  casino  security  team,  the  tribal  police 
)  and  the  state  police.  Todd  has  mandated  that 


his  security  staff  cannot  touch  a  patron,  except 
in  self-defense,  but  there  are  always  two  or 
three  state  troopers  on  hand  to  deal  with  any 
arrests  or  violent  security  problems.  The  hotel 
and  grounds  at  the  resort  are  handled  by  tribal 
security.  They  have  the  authority  to  stop  a 
person’s  forward  progress  and  to  detain  an 
individual,  but  they  also  must  hand  them  over 
to  state  police  for  an  official  arrest. 

But  Todd’s  team  also  extends  beyond  the 
borders  of  the  Mohegan  Sun  reservation.  The 
casino  security  community  is  a  small,  tight- 
knit  one,  and  with  so  many  criminals  working 
the  same  ploys  at  one  casino  after  the  next, 
information-sharing  across  security  depart¬ 
ments  is  critical  to  catching  them  in  the  act. 

Networking  among  the  casinos  is  not  done 
through  any  formal  system;  rather  it’s  through 
e-mails  and  phone  calls  among  “the  guys”  who 
have  worked  together  in  various  venues 
during  the  years  and  who  now  watch  each 
other’s  backs.  Friel  and  Todd  both  have 
numerous  contacts  in  Atlantic  City  and  Las 
Vegas,  and  they’ll  frequently  get  a  phone  call 
from  a  contact  alerting  them  to  a  new  scam  or 
notifying  them  that  a  well-known  crook  was 
spotted  at  the  Philadelphia  airport  and  may 
be  working  his  way  up  the  East  Coast.  “You 


have  to  keep  an  open  line  of  communication,” 
says  Todd,  “because  you’re  only  as  good  as 
the  information  that  you  get.  People  come  in 
disguises;  they  come  in  from  all  over  and 
you’re  not  going  to  know  them.  So  when  you 
have  the  chance,  you  give  somebody  a  heads 
up  so  they’re  prepared  for  it,  and  if  it’s  relayed 
to  you,  then  you’re  prepared.” 


TIL  J  hile  many  CSOs  struggle 
▼  ▼  /  with  with  the  issue  of  employee 

monitoring— debating  how 
much  of  it  to  do  and  how  to  do  it— Todd  and 
Friel  have  no  such  qualms.  Constant  monitor¬ 
ing  on  the  casino  floor,  and  in  sensitive  areas 
in  the  back  of  house,  are  a  fact  of  life  for  the 
casino  business.  “[Security  officers]  under¬ 
stand  that  because  we’re  constantly  moving 
money  from  one  area  to  another  we  have  to 
monitor  them,”  says  Todd. 

All  casino  employees  must  be  licensed  in 
order  to  work  at  the  resort.  When  they  first 
submit  their  applications,  the  Casino  Licensing 
and  Operations  Unit  performs  an  extensive 
background  check;  a  70-page  document  that 
examines  the  applicant’s  time  in  school,  fam¬ 
ily,  relatives  and  finances. 

Employee  behavior  on  the  casino  floor  is 


Technology’s  Winning  Hand 


WHETHER  IT’S  A  card-counting 
/  group  from  MIT  or  a  lone  slot- 
/  thief,  casinos  rely  heavily  on 
'  )  v  technology  to  fend  off  crime— 

particularly  now  that  the  criminal 
f  f  population  is  taking  advantage 
\  of  faster,  cheaper  and  smaller 
\  communications  and  surveillance 
technologies  on  the  market. 
Mohegan  Sun  is  one  of  the  few 
casinos  that  has  gone  digital: 


With  the  exception  of  400  cam- 


i€&m 


eras  that  cover  baek-of -house 

.  '  •  . 

areas  and  the  garages,  all  the 

rest  of  the  casino's  cameras  use 

. 

digital  recording  and  are  backed 
up  on  hard  drive.  For  most 

'  "v  S 

houses,  a  digital  system  is  too 


cost-prohibitive.  But  Mohegan 


M, 


found  a  vendor,  Loronix,  that  was 

eager  to  get  its  system  set  up 

Jfe-:  ..  AkA  :  %  . 

<  v  v  *  *  fay  •  „  ♦ 

34  www.csoonli 

‘  .  *  '  )  •’(  '  l  *  ’  '  *  ’. 

/  •  h  • . 


inside  a  major  casino.  In  1999, 
when  it  cost  about  $6,000  to  put 
a  camera  on  the  digital  system, 
Mohegan  negotiated  Loronix 
down  to  $3,000  per  camera  by 
agreeing  to  be  a  showplace  for 
the  system.  Although  that  still 
required  an  initial  outlay  of  $3 
million  to  get  the  system  going, 
Friel  and  Todd  thought  it  was 
worth  it.  They  rolled  out  the 
system  in  May  2000. 

On  the  old  VCR  system,  sur¬ 
veillance  would  have  to  change 
tapes  frequently,  and  over  time, 
the  VCR  heads  would  get  dirty 
and  distort  the  picture.  Digital 
search  and  retrieval  functions 
are  quicker,  and  the  pictures 
are  clearer,  making  it  easier  to 
review  the  images.  Mohegan  also 


has  a  real-time  video  system  that 
it  shares  with  nearby  Foxwoods 
Casino.  If  Mohegan  staffers  sus¬ 
pect  someone  of  running  a  scam 
on  the  casino  floor,  they  can  send 
the  video  over  a  phone  line  to 
Foxwoods’  surveillance  team.  If 
a  similar  scam  has  been  run  there 
or  if  Foxwoods  security  recog¬ 
nizes  the  individual  in  question, 
it  can  help  Mohegan  resolve  the 
case  faster. 

Facial-recognition  systems 
have  also  become  a  popular 
tool  across  the  industry.  Viisage 
Technology  offers  a  package  of 
software  programs  that  includes 
the  aptly-named  SIN  (surveil¬ 
lance  information  network).  SIN 
currently  ties  about  140  casino 
surveillance  rooms  together 


allowing  them  to  share  informa¬ 
tion  about  scams  and  to  help 
identify  cheaters.  The  package 
also  includes  a  casino  enrollment 
program  that  allows  the  casino 
to  set  up  databases  for  facial 
recognition.  It  can  search  those 
databases  based  on  name,  race, 
sex,  game  being  played  or  other 
factors  to  help  identify  known 
cheats  or  ex-employees  on  the 
floor. 

Viisage  also  has  a  new 
technology  called  Face  in  the 
Crowd  that  uses  a  fixed  camera 
posted  at  the  top  of  an  escalator 
or  in  an  entryway  to  scan  every 
face  and  compare  it  to  its  data¬ 
bases.  While  that  will  be  a  useful 
tool  for  keeping  crooks  out  of  the 
casino,  it  can  also  be  used  to 


.csoonline.com  October  2003 


> -V 


♦  The  casino  security 
community  in  general 
works  together  to 


thwart  criminals  who 


simply  move  from  one 


location  to  another. 


strictly  controlled  with  set  procedures,  and  any 
deviation  from  that  will  draw  surveillance 
attention.  For  example,  when  a  dealer  gets 
tapped  by  another  to  take  over  the  table,  he 
shows  his  palms  with  fingers  extended  and 
claps  his  hands  to  show  that  he  hasn’t  palmed 
any  chips  off  the  table.  Any  movements  that  he 
makes  toward  his  body— a  yawn,  a  cough,  a 
scratch  on  the  back  of  the  neck— are  all  cause 
for  suspicion.  “I’ve  had  [dealers]  put  chips 
down  their  back,  palm  them  under  a  thumb, 
put  them  in  their  mouth  while  yawning  or 
coughing,”  says  Friel.  The  same  procedures 
help  identify  instances  where  a  dealer  and 
player  maybe  in  cahoots  to  defraud  the  casino. 
In  roulette,  a  dealer  waves  his  hand  across  the 
table  to  indicate  that  the  ball  is 
about  to  drop  and  no  more 
bets  can  be  placed.  If  the 
dealer  doesn’t  wave  off  or  a 
player  slides  his  chips  over  to 
the  winning  number  after  the 
ball  drops— a  scam  technique 
called  past-posting— and  the 
dealer  pays  out,  those  are  obvi¬ 
ous  indicators  of  fraud.  “In  the  last 
couple  months,  we’ve  had  a  couple 
of  dealers  get  arrested,  one  with 


identify  high-rollers  that  the  floor 
hosts  want  to  give  special  treat¬ 
ment.  “If  someone  with  a  high 
credit  line  walks  in  and  hasn’t 
been  there  for  a  year  and  a  half, 
that  information  can  be  sent  out 
to  the  host,”  says  Jim  Pepin, 
director  of  sales  and  marketing 
for  Viisage’s  gaming  group.  The 
host  can  then  greet  the  player 
with  the  appropriate  personal 
details:  “How’s  your  wife 
Sharon?”  “What  about  your 
tennis  game?”  “We  have  your 
favorite  drink  ready  for  you.” 
Mohegan  has  tested  facial  recog¬ 
nition  in  the  past  and  was  not 
happy  with  the  results  but  is 
looking  at  some  of  the  new  and 
improved  versions  of  the  tech¬ 
nology  that  have  come  out. 


PHOTO  LEFT  BY  JASON  GROW 


At  Mohegan,  casino  video  is 
reviewed  in  a  state-of-the-art 
monitoring  room  where  screens 
along  the  walls  show  thousands 
of  different  perspectives  of  casino 
tables  and  gaming  areas  as  well 
as  back-of-house  areas.  Screen- 
ers  are  always  there  watching  the 
monitors  and  reviewing  play  on 
the  floor.  A  casual  glance  from  a 
dealer  will  alert  the  floor  person 
that  there’s  something  suspicious 
going  on  with  a  particular  player. 
The  floor  person  will  alert  the  pit 
manager  who  will  instruct  surveil¬ 
lance  to  put  the  camera  right  on 
the  table  for  monitoring.  Other 
screens  in  the  monitoring  room 
cover  the  counting  rooms  where 
the  hard  count  (coins)  and  the 
soft  count  (bills)  are  underway. 


Huge  machines  process  hundreds 
of  thousands  of  bills  and  coins, 
counting  up  the  take  and  looking 
for  counterfeits.  The  surveillance 
staff  also  has  a  number  of  soft¬ 
ware  programs  that  they  use  as 
tools  behind  the  scenes  to 
monitor  play. 

One  such  program,  the  BJ 
Voice  Survey  program,  is  used 
on  blackjack  players  that  are 
suspected  of  being  card-counters 
like  the  fellows  from  MIT  who 
use  different  mathematical 
methodologies  to  track  the  cards 
in  a  deck  and  identify  areas  where 
the  cards  fall  overwhelmingly  in 
favor  of  the  player.  Card-counting 
isn’t  illegal,  and  most  gamblers 
who  try  to  do  it  fail  miserably,  but 
there  are  some  skilled  players— 


perhaps  the  top  1  percent— who 
can  make  a  killing  at  it.  Casinos 
try  to  identify  them  and,  depend¬ 
ing  on  the  jurisdiction,  either 
throw  them  out  (as  in  Las  Vegas) 
or  limit  their  bets  to  the  minimum 
per  hand  (Atlantic  City  and  Con¬ 
necticut).  Using  the  BJ  Voice 
Survey,  a  surveillance  person  will 
vocally  recite  every  card  value 
seen,  along  with  the  bet  amount 
made  by  the  player.  The  program 
looks  for  any  correlation  between 
the  bet  amount  and  the  advan¬ 
tage  that  the  player  may  have  at 
any  given  point  in  the  game  to 
determine  if  he  is  counting  cards. 
The  Survey  can  run  in  real-time 


while  the  player  is  still  at  the 


table  gambling. 


-y  ■■ 


-D.D. 


October 


.  ■  ...  .  A.  j 


www.csoonline.com  35 

■  . 


4 


Casino  Security 


their  spouse  and  another  with  a  relative  for 
paying  too  much  money,”  says  Friel.  “One  gave 
[a  player]  $200  right  out  of  the  rack.  We  just 
review,  record,  observe  and  report,  and  if  it 
makes  the  papers  that’s  a  good  deterrent.” 


casino’s  security  de¬ 
pends  largely  on  the  secu¬ 
rity  staff  s  ability  to  manage 


people  and  situations.  As  much  as 
Todd  might  wish  that  each  patron 
coming  through  the  doors  is  there  to 
have  a  good  time,  that’s  sometimes 
not  the  case.  Since  it  opened,  the  casino  has 
had  more  than  4,000  ejections— people  asked 
to  leave  for  various  reasons  (such  as  being 
drunk  or  disorderly). 

Overstuffed  binders  with  information 
about  undesirables  line  the  walls  of  the  secu¬ 
rity  department  for  reference.  Prior  to  ejec¬ 
tion,  the  security  staff  takes  each  patron’s 
picture  and  records  her  personal  information. 
They  also  require  the  individual  to  sign  a  form 
that  acknowledges  she  will  be  arrested  for 
trespassing  if  she  returns. 

Ejections  from  the  casino  are  permanent, 
but  if  an  unsavory  character  wants  to  return  to 
the  casino  after  being  kicked  out,  he  can  write 
a  letter  to  Todd  explaining  and  apologizing  for 
his  behavior  and— depending  on  the  severity 
of  the  case— Todd  may  lift  the  ban.  If  ejectees 
tiy  to  sneak  into  the  casino,  security  staffers 
with  a  good  memory  for  faces  often  will  iden¬ 
tify  them  and  turn  them  away.  In  other  cases, 
ejectees  who  have  returned  and  hit  a  jackpot 
get  identified  because,  for  tax  purposes,  the 
casino  has  to  record  a  Social  Security  number 
for  any  winnings  of  $10,000  or  more.  The 
security  group  always  runs  those  numbers 
against  the  ejected-patron  database,  and  their 
winnings  are  confiscated  and  they  are  shown 
the  door  again. 

While  the  casino  with  its  lush  decor  and 
high-end  boutiques  and  restaurants  is  clearly 
not  built  on  losing  money,  Todd  and  his  staff 
do  have  some  compassion  for  the  people  who 
go  overboard  with  gambling.  “If  wre  see  some¬ 
one  who’s  really  upset  about  losing,  he  or  she 
may  have  a  problem”  he  says.  “We’re  not  in 
this  business  to  hurt  people  or  to  take  their 
money  to  a  point  they  have  to  remortgage 
their  homes.”  Patrons  with  gambling  prob¬ 
lems  will  often  request  to  be  banned  from  the 


force  for  its 


Mohegan  Sun 
opted  for  a  kinder, 
gentler  security 


“You  have  the  dealer 

watching  the  patrons, 

the  floor  personnel  watching 
the  dealer,  the  pit  manager 
watching  him,”  and  so  on. 


-JIM  FRIEL,  MOHEGAN  SUN’S  DIRECTOR  OF  SURVEILLANCE 


casino,  and  at  Mohegan  Sun,  that  kind  of  ban 
can  never  be  lifted. 


f  you  think  corporate  security  is  rife 
with  bureaucracy,  then  imagine  how 
absolutely  everyone  has  their  eye  on 
how  security  performs  in  the  gaming  industry. 

Todd  devises  the  policies  and  procedures 
for  the  casino’s  security,  but  they  must  be 
approved  by  the  Casino  Licensing  and  Opera¬ 
tions  Unit,  which  has  a  staff  that  surveys  and 
audits  the  casino  to  make  sure  it  is  abiding  by 
the  rules  and  regulations  set  out  by  the  com¬ 
pact— the  agreement  made  between  the  state 
and  tribe  that  permits  gambling.  There  is  also 
a  National  Indian  Gaming  Commission  that 
comes  in  to  audit  the  policies  and  procedures 
that  Todd  puts  in  place  to  make  sure  that  all 
the  tribes  are  doing  things  the  same  way.  The 
Indian  commission  ensures  that  if  security  has 
mandated  that  dealing  will  be  done  in  a  par¬ 
ticular  manner,  then  that’s  what’s  happening 
on  the  casino  floor.  Because  the  state  of  Con¬ 
necticut  gets  25  cents  for  every  dollar  Mohegan 
Sun  and  Foxwoods  make  on  their  slot 
machines  (so  far,  more  than  $1  billion  has  been 
generated  for  the  state),  it  also  keeps  a  watch¬ 


ful  eye  on  security.  State  employees  have  video 
monitors  in  their  offices  that  allow  them  to 
watch  what’s  happening  in  the  counting 
rooms,  and  they  check  all  the  security  logs. 
“You  have  the  dealer  watching  the  patron,  the 
floor  personnel  watching  the  dealer,  the  pit 
manager  watching  him,  the  shift  manager 
watching  the  pit  manager,  then  the  casino 
manager,  then  the  director,  then  the  VP,”  says 
Friel  elucidating  the  chain  of  observation 
within  the  casino.  And  with  all  the  scrutiny 
that  security  has  put  in  place,  they,  in  turn, 
are  surveilled  just  as  closely.  At  Mohegan  Sun, 
nothing  is  taken  for  granted.  “We  watch  all  of 
them,  and  the  commissions  are  watching  us,” 
says  Friel.  “We  are  audited  every  which  way  but 
loose,  and  nobody  trusts  nobody.”  ■ 

Senior  Editor  Daintry  Duffy  can  be  reached  via  e-mail  at 
dduffy@cxo.com. 


Fight  Fraud 


Cheating  at  the  baccarat  table  is  just  another  form  of 
fraud.  Read  “The  Fraud  Squad”  to  learn  what  you  should 
be  doing  to  fight  it.  Type  the  DocID  number  (above)  into 
the  search  box  at  www.csoonline.com  to  find  the 
article  online. 


36  www.csoonline.com  October  2003 


Is  Your  Security  Alert  Service 
Biased  or  Indepeudent? 


My  security  alert  service  provider  is  really 
a  major  security  product  vendor: 

Q  Yes  Q  No 


My  security  alert  service  provider  sells  advertising  and 
certification  services  to  major  security  product  vendors: 

Qj  Yes  □  No 


My  security  alert  service  provider 
is  independent  and  unbiased: 

Q  Yes  Qj  No 


No  censorship.  No  delays.  No  sugar  coating. 


Keep  Track  of  the  Latest  Vulnerabilities  and  Threats 

1-86B-241-3895 
http  ://secu r ity tracker,  com/cso 


[SURVEY] 


Awor 


Price 


magazine 


BY  SCOTT  BERINATO 
WITH  RESEARCH  DIRECTED 
BY  LORRAINE  COSGROVE  WARE 


38  www.csoonline.com  October  2003 


ILLUSTRATION  BY  JOHN  WEBER 


The  best  place  to  start  is  with  what 
“The  State  of  Information  Security 
2003”  survey  doesn’t  include.  It 
doesn’t  include  some  stark  bit  of  data 
that  will  make  you  slap  your  forehead 
and  exclaim,  “Oh,  thats  the  problem!” 
It  doesn’t  include  figures  that  suggest 
a  secret  formula  for  setting  a  security 
budget.  Nowhere  in  its  hundreds  of 
pages  of  raw  numbers  will  you  find 


The  Answer,  because  The  Answer  is  a  fiction, 
even  if  the  problem  is  not.  Information  secu¬ 
rity  is  a  difficult,  nuanced  and  immature  craft. 
Silver  bullets  are  for  people  who  aren’t  serious 
about  solving  the  problem. 

What  this  survey  does  include,  in  its  depth 
(more  than  7,500  respondents)  and  intricacy 
(44  questions  cross-tabulated  by  company 
size,  security  budget,  geographical  region  and 
dozens  of  other  categories)  is  a  comprehensive 
profile  of  the  imperfect  and  evolving  world  of 
information  security. 

According  to  the  survey  findings,  it  seems 
you’re  all  just  now  coming  to  terms  with  infor¬ 
mation  security  as  a  problem.  You  understand 
that  fixing  the  problem  won’t  be  easy— that  it 
will  take  a  complex  combination  of  infra¬ 
structure,  education,  proactive  risk  analysis 
and  regulation.  But  at  the  same  time,  you 
seem  to  be  hoping  against  hope  that  an  easier 
way  out  will  present  itself.  You  know  you  need 
to  do  more,  but  the  survey  shows  that  you’re 
not  yet  doing  it.  It’s  the  classic  economic  prin¬ 
ciple  known  as  the  Problem  of  the  Commons: 
Information  security  is  a  problem,  but  it’s  not 
my  problem. 

And  one  can  hardly  blame  you  for  taking 
such  a  stance.  Information  security,  right  now, 
is  a  confused  and  paradoxical  business.  For 
example: 

■  You’ve  increased  spending  significantly, 


and  you’re  told  this  is  a  good  thing,  and  yet  it 
has  had  zero  effect  in  mitigating  security 
breaches. 

■  You’re  constantly  warned  about  “digital 
Pearl  Harbors,”  and  yet  the  vast  majority  of 
incidents  you  report  are  relatively  small,  don’t 
last  long  and  don't  cost  much. 

■  You’re  told  that  aligning  security  and  busi¬ 
ness  strategies  is  a  top  priority,  and  yet  those 
who  have  fared  best  in  avoiding  breaches, 
downtime  and  security-related  damages  are 
the  least  likely  to  be  aligned  with  the  business. 

But  in  another  sense,  you  seem  to  be  con¬ 
tributing  to  the  confusion. 

■  Respondents  who  suffered  the  most  dam¬ 
ages  from  security  incidents  were  two  times 
more  likely  than  the  average  respondent  to 
plan  on  decreasing  security  spending  next  year. 

■  Those  with  the  most  damages  were  nearly 
half  as  likely  to  list  staff  training  as  one  of 
their  top  three  priorities. 

■  A  quarter  of  you  neither  measured  nor 
reviewed  the  effectiveness  of  your  informa¬ 
tion  security  policies  and  procedures  in  the 
past  year. 

In  short,  the  survey  shows  that  as  much  as 
the  nascent  information  security  discipline 
has  grown  since  its  baptism— on  Sept.  18, 
2001  (one  week  after  the  terrorist  attacks  and 
the  day  the  Nimda  worm  hit)— it  hasn’t  much 
improved  with  age. 


"The  State  of  Information  Security 
2003,”  a  worldwide  study  by  CIO 
magazine  (a  sister  publication  to  CSO) 
and  PricewaterhouseCoopers,  was 
conducted  online  from  April  15 
through  July  7,  2003.  Readers  of  CIO 
and  CSO  and  clients  of  Pricewater¬ 
houseCoopers  from  around  the  globe 
were  invited  via  e-mail  to  take  the  sur¬ 
vey.  The  results  shown  here  are  based 
on  the  responses  of  7,596  CEOs, 

CFOs,  CIOs,  CSOs,  vice  presidents  and 
directors  of  IT  and  information  secu¬ 
rity  from  54  countries.  The  margin  of 
error  is  1.1  percent. 

The  study  represents  a  broad 
range  of  industries  including  com¬ 
puter-related  (14  percent),  govern¬ 
ment  (9  percent),  consulting  and 
professional  services  (8  percent), 
financial  services  and  banking  (8  per¬ 
cent),  noncomputer  manufacturing 
(8  percent),  education  (7  percent), 
and  health  care  (4  percent). 

One-quarter  (26  percent)  of  the 
respondents  were  IT  executives,  while 
16  percent  were  information  security 
professionals.  Fifteen  percent  of  those 
surveyed  held  CEO,  CFO  or  non-IT 
director  titles,  and  19  percent  were 
network  administrators.  One  percent 
listed  internal  auditor  as  their  title, 
while  21  percent  listed  “other.” 

Forty-two  percent  of  the  executives 
surveyed  reported  total  annual  sales 
of  less  than  $100  million,  while  18  per¬ 
cent  reported  sales  between  $100  mil¬ 
lion  and  $999.9  million.  Twenty 
percent  of  the  survey  base  said  their 
organizations’  annual  sales  exceeded 
$1  billion,  while  20  percent  were  non¬ 
profit  organizations  and  therefore  did 
not  report  annual  sales. 

When  asked  about  company  size, 

28  percent  said  their  organizations 
had  less  than  100  employees,  and 
31  percent  had  between  100  and 
1,000  employees.  Nineteen  percent 
of  the  survey  respondents  reported 
between  1,000  and  5,000  employees, 
and  20  percent  had  more  than  5,000 
employees.  (Numbers  may  not  add  up 
to  100  percent  due  to  rounding.) 

-Lorraine  Cosgrove  Ware 


October  2003  www.csoonline.com  39 


of  Security  Survey 


Can  we  suss  out  any  prevailing  trend  at  all? 
If  there’s  one  there,  it’s  hard  to  tell.  In  this 
particular  survey,  trends  drift  aimlessly.  Pos¬ 
itive  correlations  are  rare.  What  you  do  about 
information  security  and  what  actually  hap¬ 
pens  seem  only  vaguely  allied. 

Except  for  one  case,  where  a  connection 
was  clear.  In  this  survey,  confidence  in  secu¬ 
rity  correlates  to  better  security,  irrefutably.  In 
other  words,  those  who  feel  like  they’re  doing 
better,  are  doing  better. 

What  follows  are  the  five  cuts  we  made  of 
"The  State  of  Information  Security  2003,” 
including  the  aforementioned  confidence  cor¬ 
relation.  Each  provides  insight  into  some 
aspect  of  this  confused  and  complex  discipline. 
In  one,  there’s  even  a  calculation— an  innova¬ 
tive  method  for  benchmarking  security  spend¬ 
ing  called  the  per  capita  expenditure. 

Forget  silver  bullets.  Hard  data,  and  lots 
of  it,  is  what  you  need  to  start  improving  infor¬ 
mation  security.  And  here  it  is. 

Fuzzy  Logic 

It  is  frustratingly  difficult  to  find  any  rela¬ 
tionship  at  all  between  good  security  and 
spending.  And  sometimes  there’s  even  a  neg¬ 
ative  relationship. 

Companies  with  $500,000  or  more  in 
damages  were  more  than  twice  as  likely  to 
plan  to  cut  security  spending  as  companies 
that  suffered  no  monetary  loss  in  damages. 


WHAT  THE  NUMBERS  MEAN 

Since  companies’  size,  and  therefore  their 
budgets,  varied  so  widely  across  the  survey’s 
more  than  7,500  respondents,  the  relative 
measure  of  security  spending  as  a  percentage 
of  the  overall  IT  budget  provides  a  better  com¬ 
parative  measure  than  the  total  spent  on  secu¬ 


rity.  The  mere  single  percentage  point 
between  the  highest  spenders  and  lowest 
spenders  (when  cross-tabulated  with  breach 
data)  shows  that  those  suffering  fewer  security 
incidents  don’t  necessarily  spend  more  to  stay 
secure— or,  to  flip  it  over,  those  who  are  hit  the 
hardest  by  breaches  aren’t  spending  any  less 
than  those  untouched. 

So  you  can’t  accuse  the  companies  suffering 
breaches  of  not  spending  enough.  But  perhaps 
they’re  not  spending  well.  The  hardest  ques¬ 
tion  for  IT  security  officers  to  answer  clearly 
isn’t  How  much  should  we  spend?  but  rather 
How  should  we  spend? 

The  answer:  Probably  by  devoting  less  to 
technology. 

Security  expert  Bruce  Schneier  thinks  the 
wanton  deployment  of  technology  hasn’t 
helped  because  it  hasn’t  been  matched  by  a 
similar  deployment  of  the  soft  stuff— training, 
education  and  awareness  (see  “The  Evolution 
of  a  Cryptographer”  in  the  September  issue). 

“Computer  security  folks  are  always  trying 
to  solve  problems  with  technology,  which 
explains  why  so  many  computer  solutions  fail 
so  miserably,”  he  says.  “Most  of  the  time,  the 
security  problems  are  inherently  people  prob¬ 
lems,  and  technologies  don’t  help  much.” 

Take  photo  IDs,  for  instance.  Schneier  says 
that  technologists  want  to  add  this  or  that  to 
make  IDs  harder  to  forge,  but  what  about  the 
people  who  bribe  the  issuing  officials  to  get 
real  IDs  in  fake  names?  (At  least  two  of  the 
9/11  terrorists  did  that.)  The  technology  that 
makes  an  ID  harder  to 
forge  doesn’t  solve  that 
problem. 

In  addition  to  the 
willy-nilly  deployment  of 
technology,  some  com¬ 
panies  are  also  not  using 
the  technology  to  its  full 
potential. 

Consider  that  seven 
out  of  10  survey  respon¬ 
dents  used  intrusion 
detection  systems,  eight  of  10  used  firewalls, 
and  nine  of  10  used  antivirus  software.  But 
only  50  percent  of  events  were  detected 
through  those  technologies  or  through  secu¬ 
rity  service  providers  managing  those  tech¬ 
nologies  for  a  company.  The  other  half  were 
detected  the  hard  way— by  customers,  col¬ 


WHY  SPEND  MORE?  Companies  that  weren’t  breached 
didn't  necessarily  spend  more. 


SECURITY  SPENDING  AS  A  PERCENTAGE  OF  I.T.  BUDGET 


0  50+  0  10+  days  $0  $500K+ 

NO.  OF  INCIDENTS  TOTAL  DOWNTIME  MONETARY  DAMAGES 


leagues  or  news  outlets  alerting  the  company 
of  a  breach,  or  worse  yet,  by  the  damages  the 
event  caused. 

Companies  have  deployed  so  much  tech¬ 
nology,  and  it  has  generated  so  much  data  in 
the  form  of  log  files,  that  they  have  given  up 
trying  to  interpret  the  data.  The  haystack  has 
gotten  too  big  to  look  for  needles  in  it,  says 
Andrew  Toner,  partner  in  Pricewaterhouse- 
Coopers’  security  practice.  “When  [organiza¬ 
tions]  give  up,  that’s  when  breaches  are  going 
to  happen.” 

One  interpretation  for  the  disturbing  trend 
of  budget  cuts  by  companies  that  were  hit 
hardest  by  hacks  is  that  they  just  gave  up. 
Another  possible  explanation  is  that  these 
companies  are  hard  hit  by  something  else— 
the  economy— and  they  are  cutting  budgets 
across  the  board  regardless  of  security 
breaches. 

But  it’s  just  as  likely  that  they’ve  decided 
that  the  money  they  had  spent  was  money 
down  the  drain.  Why?  Information  security, 
for  whatever  reason,  hasn’t  yet  adopted  risk 
management  as  a  philosophy.  It’s  still  treated 
binarily:  Either  you’re  safe,  or  you’re  not. 
Either  the  money  you  spent  worked,  or  it  did¬ 
n’t.  And  that  must  change. 

“People  think  in  terms  of  threats,  not  in 
terms  of  risk,”  says  T.  Sean  McCreary,  a  risk 
management  specialist  at  The  Motorists 
Insurance  Group  who  previously  served  as  a 
security  manager  and  safety  manager  at  two 
prisons.  “Risk  management  allows  you  to 
assemble  threats  into  some  order  or  impor¬ 
tance  so  the  available  funds  can  be  used  most 
effectively  to  prevent  and  prepare  for  the  iden¬ 
tified  risks.” 

Why  haven’t  information  security  profes¬ 
sionals  adopted  a  risk  management  approach? 

“Because  it’s  harder,”  McCreary  says.  “It 
takes  more  time  and  effort,  and,  of  course, 
more  knowledge  than  they  have.” 

TO-DOs 

1.  Target  spending  on  the  soft  stuff— 
awareness,  education,  risk  management 
training— instead  of  throwing  more  technol¬ 
ogy  at  the  problem. 

2.  Take  better  advantage  of  the  technol¬ 
ogy  you  do  have  by  interpreting  the  data 
it  generates,  not  just  letting  it  block 
attacks. 


40  www.csoonline.com  October  2003 


The 

Confidence 

Correlation 

Those  who  are  very  confident  in  their  security 
have  stronger  security  infrastructures  in  place, 
and  they  spend  more  on  security  as  a  per¬ 
centage  of  their  IT  budgets. 


PROFILES  IN  CONFIDENCE 

How  confident  are  you  that  your 
organization's  information  security 
activities  are  effective? 


The  more  security  infrastructure  you 
create,  the  more  confident  you're  likely 
to  be. 


OF  THE “VERY 
CONFIDENT” 
GROUP 

OF  THE 
“NOT  AT  ALL 
CONFIDENT” 
GROUP 

Information  security  is 
audited  by  a  group 
outside  IT 

49% 

29% 

Security  reports  outside 
of  IT 

32% 

17% 

Security  committee  is 
responsible  for  setting 
policy 

27% 

12% 

Infosec  budget  as  a 
percentage  of  overall 

IT  budget 

14% 

7% 

Security  reports  to 
CSO/security  committee 

13% 

5% 

Security  committee  sets 
spending  levels 

8% 

3% 

WHAT  THE  NUMBERS  MEAN 

Structure  and  dedicated  resources  breed  con¬ 
fidence.  And  confidence,  experts  say,  breeds 
better  security.  In  a  sea  of  data  that  fails  to 
reveal  relationships  between  security  and  best 
practices,  the  confidence  factor  is  a  welcome 
sight.  We  can  even  go  so  far  as  to  herald  the 
one-quarter  of  respondents  who  called  them¬ 


selves  “very  confident”  in  their  organizations’ 
security  as  security  leaders.  That  group  tends 
to  create  far  more  structure  around  security 
within  the  organization— in  other  words,  mak¬ 
ing  it  a  discipline  and  not  something  that  hap¬ 
pens  as  part  of  the  IT  group.  They  hire  more 
security  executives  and  give  those  executives 
more  control  over  policy,  spending  and  staffs. 

Another  key  point:  The  more  confident  a 
company  is  in  its  security,  the  less  likely  the 
security  is  controlled  by  the  IT  department. 
Many  believe  that  IT’s  oversight  of  informa¬ 
tion  security  has  been  a  limiting  factor  in 
improving  it— that,  if  the  CSO  reports  through 
the  CIO,  it’s  like  having  the  fox  guard  the  hen¬ 
house.  If  the  CIO,  for  example,  controls  both 
the  CRM  implementation,  which  he’s  been 
told  to  get  done  in  one  year  for  $2  million,  and 
is  also  in  charge  of  information  security,  which 
will  add  time  and  money  to  that  project,  to 
which  master  does  he  answer? 

At  the  very  least,  IT  leaders  should  be  self¬ 
policing  and  conducting  independent  audits 
of  their  security  practices.  But  the  numbers  in 
that  regard  don’t  suggest  companies  are. 
About  75  percent  of  companies  don’t  perform 
third-party  assessments  of  privacy  standards, 
and  60  percent  don’t  audit  security  standards. 
No  one  indicated  that  systems  were  tested  for 
security/policy  compliance. 

Extracting  information  security  from  the  IT 
department  overnight  may  not  be  wise  either, 
but  a  good  way  to  start  the  process  of  sepa¬ 
rating  the  two  would  be  to  conduct  third- 
party  audits  and  verification  that  security  isn’t 
getting  subverted. 

Bill  Spernow,  former  director  of  IT  for  the 
Georgia  Student  Finance  Commission,  says 
the  first  thing  he  did  when  he  got  his  job  was 
to  fight  for,  and  win,  independence  from  the 
IT  department.  “It’s  the  biggest  battle  I  had 
there,”  he  says.  “If  I  see  a  CISO  reporting  to 
some  IT  component,  I  see  a  position  that’s 
not  working,  guaranteed.  The  conflict  of  inter¬ 
est  is  just  too  much  to  overcome.  Having  the 
CISO  report  to  IT,  it’s  a  deathblow.” 

TO-DOs 

1.  Create  structure  around  information 
security  by  hiring  a  CSO  or  creating  an  exec¬ 
utive  security  committee. 

2.  Consider  extracting  the  information 
security  function  from  the  IT  department. 


Little  Bangs 
Everywhere 

Major  security  breaches  are  the  exception, 
not  the  rule.  Most  security  incidents  lasted 
less  than  a  day  and  cost  less  than  $100,000. 
And  most  companies  had  10  or  fewer  such 
events  in  the  past  year. 


FEW  ATTACKS  The  vast  majority  of 
companies  dealt  with  fewer  than  10 
attacks  per  month.  (Number  of  nega¬ 
tive  security-related  events  per  month.) 


50+ 


10  to  49 


None 


1  to  9 


LITTLE  DOWNTIME  In  the  rare  event 
of  a  breach,  downtime  was  usually 
limited  to  less  than  24  hours... 


More  than 
1  day 


None 


1  day 
or  less 


MINIMAL  DAMAGES  Only  14  percent 
of  attacks  cost  more  than  $10,000. 


Don't 


17% 


None 


Up  to 
$10,000 


14% 


WHAT  THE  NUMBERS  MEAN 

Terrorists  can  shut  down  the  Internet  or  the 
power  grid.  A  hacker  can  take  down  your  whole 
company.  Both  plausible  headlines— or  lines 
from  consultants  trying  to  sell  their  services— 
from  the  past  year.  But  survey  data  shows  that 


October  2003  www.csoonline.com  41 


of  Security  Survey 


you’re  not  dealing  with  the  Great  Chicago  Fire. 
You’re  dealing  with  lots  of  little  brush  fires. 

The  question  then  becomes:  Are  the  little 
hacks  common  because  you  haven’t  done  a 
good  job  of  protecting  your  enterprise?  Are 
the  big-bang  incidents  rare  because  you  have? 
Or  are  you  simply  lucky  enough  to  have 
avoided  the  big  problems  but  not  lucky 
enough  to  ward  off  the  smaller  incidents? 

In  any  case,  you're  exposed  to  the  smaller 
incidents.  And  Howard  Schmidt,  vice  presi¬ 
dent  and  CISO  of  eBay  (and  former  special 
adviser  to  the  White  House  for  cyberspace 
security),  thinks  the  prevalence  of  little  bangs 
everywhere  does  not  suggest  you’ve  done  a 
good  job  steeling  yourself  against  major 
attacks.  Instead,  he  sees  a  severe  lack  of  dis¬ 
cipline  everywhere. 

“If  anything,  the  more  you  take  care  of  the 
little  stuff,  the  less  likely  someone  wall  be  able 
to  pull  off  a  big  attack,”  says  Schmidt.  “I  see  it 
all  the  time.  Companies  are  always  pushing, 
‘Let’s  just  open  this  one  little  port.’  Then  next 
thing  you  know  they  want  another  port,  and 
another.  And  that  leads  to  all  these  vulnera¬ 
bilities,  which  turn  into  little  brush  fires.  No 
one  draws  the  line  and  says  no.  Instead  of 
creating  a  culture  of  security,  we’re  often  cre¬ 
ating  a  culture  of  getting  around  security.” 

The  way  technology  is  designed— based  on 
open  architectures— only  fosters  that  kind  of 
shortcut  culture. 

One  of  the  reasons  the  culture  has  cen¬ 
tered  around  side-stepping  security  is  because 
it’s  usually  a  pretty  simple  thing  to  do,  to  open 
a  port,  or  to  allow  someone  to  receive  attach¬ 
ments  in  e-mail.  For  this,  there  is  no  archi¬ 
tectural  cure. 

But  the  encouraging  message  buried  in 
Schmidt’s  commentary  is  that,  to  mitigate  the 
problem,  little  if  any  additional  technology, 
spending  or  other  resources  are  really 
required.  All  that’s  required  is  some  disci¬ 
pline— someone  to  draw  the  line  and  say  no. 


TO-DOs 

1.  Refocus  a  security  program  so  that  it 
takes  into  account  the  smaller,  more  fre¬ 
quent  threats  as  well  as  “ the  sky  is  falling’ 
threats. 

2.  Assign  a  disciplinarian,  and  vigilantly 
enforce  security  rules  without  exception  or 
variance. 


THE  UNITED  STATES  OF 
LITIGIOUSNESS  In  the  wake  of  a 
security  breach,  Americans  are  eager 
to  tell  lawyers  and  the  authorities,  and 
yet  far  less  likely  to  inform  another 
important  party— the  customer. 

ORGANIZATIONS  INFORMED  OF  NEGATIVE 
SECURITY-RELATED  EVENT 

LEGAL  COUNSEL 


North  America 
Rest  of  world 


50% 

22% 


GOVERNMENT  AUTHORITIES  (NATIONAL 
OR  LOCAL) 


North  America 
Rest  of  world 


38% 

19% 


BUSINESS  PARTNERS/VENDORS/SUPPLIERS 


THE  ROI  OF  FEAR  The  threat  of 
getting  sued  loosens  purse  strings 
more  than  any  other  factor— especially 
in  America. 

PERCENTAGE  OF  COMPANIES  THAT  USED 
LIABILITY  AS  A  JUSTIFICATION  FOR  SECURITY 
INVESTMENTS 

North  America 


80% 


Rest  of  world 


61% 


EUROPE  THE  PRIVATE 

Europe  sets  the  gold  standard  for 
privacy  practices. 

PERCENTAGE  OF  ORGANIZATIONS  THAT 
EMPLOYED  A  CHIEF  PRIVACY  OFFICER 


North  America 
Rest  of  world 


25% 

Europe 

31% 

38% 

Rest  of  world 

15% 

CUSTOMERS 


North  America 
Rest  of  world 


25% 

38% 


THE  ROAD  IS  SAFE,  THE  HOUSE  IS 

NOT  Data  is  rarely  stolen  when  it's  in 
transit.  In  fact,  it’s  most  often  stolen 
from  its  place  of  storage.  Still... 


“The  more  you 
take  care  of 
the  little  stuff, 
the  less  likejv 
someone  will 
be  able  to  pull 
offabjg 
attack. 

-HOWARD 

SCHMIDT 


PERCENTAGE  OF  COMPANIES  THAT 
ENCRYPTED  DATA 

During  transmission 


54% 


In  storage 


30% 


42  www.csoonline.com  October  2003 


ALIGNMENT:  A  BAD  THING? 

Those  who  said  security  practices 
were  completely  or  closely  aligned 
with  the  business  were  far  more  likely 
to  suffer  huge  losses  and  long  down¬ 
times  than  those  who  said  security 
was  poorly  or  not  at  all  aligned  with 
the  business.  Could  it  be  alignment 
means  you’re  compromising  security 
in  order  to  please  business  leaders? 

PERCENTAGE  THAT  SAID  SECURITY  IS 
COMPLETELY  OR  CLOSELY  ALIGNED  WITH 
BUSINESS 

Those  with  $500,000+  damages 


57% 


Those  with  10+  days  downtime 


41% 


Those  with  50+  incidents 


54% 


PERCENTAGE  THAT  SAID  SECURITY  IS  POORLY 
ALIGNED  OR  NOT  ALIGNED  WITH  BUSINESS 

Those  with  $500,000+  damages 


19% 


Those  with  10+  days  downtime 


20% 


Those  with  50+  incidents 


16% 


THE  BIG  RETURN  ON  CORPORATE 
ESPIONAGE  The  more  damaging 
the  attack,  the  more  likely  a  corporate 
rival  is  involved. 

PERCENTAGE  THAT  SAID  A  COMPETITOR  WAS 
THE  LIKELY  SOURCE  OF  A  SECURITY  BREACH 


Overall 


When  damages  totaled  $100,000  to  $500,000 


15% 


When  damages  totaled  $500,000+ 


25% 


WIRELESS  DISCONNECT  There’s 
considerable  investment  in  wireless 
security... 

DO  YOU  USE  WIRELESS  SECURITY? 

Currently  employs  wireless  security 


20% 


Plans  to  use  wireless  security 


Under  consideration 


38% 


...although  it’s  the  least  likely  method 
of  attack  to  have  caused  a  breach. 

FOR  THOSE  WHO  WERE  HACKED,  WHAT  WAS 
THE  METHOD  OF  ATTACK? 

Mobile/wireless  intrusion 

l5% 


TRAINING  SHMAINING  The  greater 
the  damages  from  breaches  last  year, 
the  less  likely  that  staff  training  will  be 
a  priority  next  year. 

PERCENTAGE  THAT  NAMED  “STAFF  TRAINING” 
A  TOP-THREE  PRIORITY  NEXT  YEAR 

Those  with  no  damages 


46% 


Those  with  no  downtime 


43% 


Those  with  no  incidents 


43% 


Those  with  $500,000+  damages 


26% 


Those  with  10+  days  downtime 


29% 


Those  with  50+  incidents 


35% 


Still  Reactive 
After  All  These 
Fears 

Despite  experts  preaching  about  risk  manage¬ 
ment  and  treating  security  proactively,  security 
is  still  largely  justified  by  fear  and  government 
regulation. 

FEAR  DRIVES  SPENDING  How  are 

security  investments  justified  in  your 
company?  (Respondents  could  check 
all  that  apply.) 

REACTIVE  FACTORS 

Liability/exposure 


69% 


Regulatory  requirements 


53% 


Revenue  impact 


40% 


PROACTIVE  FACTORS 

Contribution  to  business  objectives 


36% 


Partner/vendor  requirements 


Economic  ROI 


20% 


WHAT  THE  NUMBERS  MEAN 

In  and  of  themselves,  these  numbers  won’t 
surprise  anyone,  and  the  cynics  among  us  will 
sniff  knowingly.  No  matter  how  much  preach¬ 
ing  we  do  about  making  security  a  contribu¬ 
tor  to  the  bottom  line,  and  measuring  its 
return,  the  discipline  is  largely  too  young  and 
unscientific  for  that.  There  are  some  primitive 
formulas,  but  none  has  been  widely  accepted. 
It’s  still  easier  to  rely  on  scare  tactics  to  justify 
security  investments. 

This  shouldn’t  be  considered  an  endorse¬ 
ment  of  that  strategy.  According  to  security 
experts,  CISOs  and  CSOs  should  seek  any 
objective  calculation  of  the  value  of  security. 

But  the  numbers  do  carry  some  nuances. 
For  example,  the  low  percentage  of  respon¬ 
dents  who  take  into  consideration  the  security 
requirements  of  their  partners  and  vendors 

October  2003  www.csoonline.com  43 


of  Security  Survey 


suggest  that  they  aren't  thinking  about  secu¬ 
rity'  as  an  external  networking  problem.  Their 
thinking  still  focuses  on  “How  will  a  hacker 
attack  me?”  instead  of  “How  will  any  given 
hack  attack  reach  me?”  Also,  partners  and 
vendors  aren't  demanding  of  each  other  that 
they,  in  turn,  meet  certain  security  levels, 
which  would  make  interaction  safer. 

Covenant  Health  is  a  perfect  example. 
Covenant  Health  wasn’t  attacked,  but  the 
Slammer  worm  still  infected  the  five-hospital 
network  in  Knoxville,  Tenn.  It  slithered 
through  a  port  unknowingly  left  open  to  a 
Covenant  service  provider.  That  provider  was 
also  infected  but  not  attacked;  the  worm  had 
infected  the  service  provider  through  a  port 
left  open  to  one  of  its  partners. 

To  spin  an  old  caveat:  When  you  connect 
your  network  with  a  partner,  you’re  also  con¬ 
necting  to  your  partner’s  partners.  Yet  only 
22  percent  of  the  respondents  were  required 
by  their  partners  to  practice  safe  business. 
That  seems  like  the  easiest  thing  in  the  world 
to  do.  Just  ask— no,  demand— that  partners 
do  their  part.  The  fact  that  so  few  companies 
demand  it  suggests  a  paralysis  of  hypocrisy: 
How  can  any  one  company  demand  that  oth¬ 
ers  be  safe  if  it  can’t,  for  sure,  guarantee  that 
it  won’t  infect  its  partners.  It  will  take  more 
and  more  in  that  vigilant  minority  who  do 
demand  safe  business  to  tip  the  scales  in  favor 
of  security'  over  promiscuity. 

Covenant  Health’s  former  CIO  Frank  Clark 
became  a  part  of  that  vigilant  minority  after 
learning  the  hard  way.  He  demanded  part¬ 
ners  meet  certain  security  requirements 
before  allowing  them  to  link  up  to  his  net¬ 
work.  “We  made  them  specify  exactly  what 
they  wanted  access  to,”  he  says.  “But  they, 
themselves,  had  a  hard  time  knowing  what 
they  wanted  access  to.”  By  requiring  partners 
to  meet  higher  security  standards,  he  says, 
they’ll  require  their  partners  to  do  the  same. 


TO-DOs 

1.  Pursue  metrics  and  business  justifica¬ 
tions  for  security,  and  try  to  wean  yourself 
from  using  fear factors  to  justify  security 
investments. 

2.  Set  baseline  security  requirements  for 
anyone  connecting  to  your  network,  and 
force  partners  and  vendors  to  meet  those 
requirements. 


The  Per  Capita 
Benchmark 

Dividing  employees  by  security  budget  yields 
some  surprising— and  erratic— spending 
habits.  But  even  here  the  confidence  correla¬ 
tion  is  clear. 


SECURITY  SPENDING  PER 
EMPLOYEE  For  a  new  perspective  on 
spending,  simply  divide  your  infosec 
budget  by  number  of  employees. 

Energy  utilities  $7,022 

Information  security  consultant 

2,268 

Software 

1,899 

New  media 

1,885 

Computers/networking 

1,841 

Government 

1,797 

Consumer  goods 

1,298 

Distributor 

1,297 

E-commerce 

1,252 

Other 

1,229 

Telecommunications/ISP 

1,211 

Broadcast/cable 

1,115 

Consulting/professional  services 

1,110 

Biotech/biomedical 

1,057 

Aerospace 

780 

Semiconductors 

757 

Insurance/HMOs 

706 

Financial  services/banking 

693 

Media/entertainment 

587 

IT  vendors 

586 

Health  care/medical 

548 

Logistics/transportation 

484 

Electronics 

481 

Utilities 

474 

Food/beverage 

423 

Industrial  products 

419 

Nonprofit 

415 

Education 

414 

Real  estate 

394 

Agriculture 

385 

Hospitality /travel/leisure 

350 

Petroleum 

311 

Publishing 

237 

Venture  capital 

228 

Manufacturing/industrial  (noncomputer)  226 

Automotive 

220 

Chemicals 

184 

Construction/engineering 

184 

Pharmaceutical 

152 

Retail/consumer  goods 

144 

Metals/natural  resources 

106 

WHAT  THE  NUMBERS  MEAN 

The  per  capita  security  spend— information 
security  budget  divided  by  number  of  employ¬ 


ees— gives  you  a  benchmark  with  which  to 
compare  yourself  across  industries,  regardless 
of  company  size.  It  can  also  show  how  spend¬ 
ing  per  employee  varies  geographically.  It’s  a 
simple  but  powerful  calculation  that  will  shed 
some  light  on  a  subject  that  you’ve  been  strug¬ 
gling  with. 

Impulsively,  you  might  use  the  spectrum  to 
see  if  your  spending  is  normal.  But  while  there 
is  an  overall  average  spending  level  ($964), 
there’s  nothing  “normal”  about  the  range  of 
spending,  from  as  little  as  $100  per  employee 
to  well  into  the  thousands  of  dollars. 

Many  factors  could  account  for  the  broad 
range  of  spending.  In  some  industries,  the 
stakes  are  exponentially  higher,  even  if  the 
personnel  requirements  are  not.  An  energy 
utility  is  a  good  example,  where  72  respon¬ 
dents  yielded  an  average  security  spend  per 
capita  of  more  than  $7,000. 

Despite  the  lack  of  normalcy,  the  confi¬ 
dence  correlation  shows  up  here  too.  The 
confident  companies  spent  nearly  two  and  a 
half  times  more  per  capita  than  those  that 
lacked  confidence,  and  one  and  a  half  times  as 
much  as  the  overall  average.  (Interestingly, 
the  6  percent  who  were  unsure  of  how  confi¬ 
dent  they  were  spent  just  $585  per  capita, 
even  less  than  the  least  confident  group). 

North  American  businesses  also  spent  sig¬ 
nificantly  more  ($1,200  per  capita)  than  com¬ 
panies  in  the  rest  of  the  world  (about  $800). 
That  didn’t  make  them  any  safer,  per  se.  Some 
argue  it  proves  North  American  companies 
are  less  efficient  with  their  security  spending. 

In  the  strangest  twist  of  all,  companies  that 
suffered  no  damages  last  year  spent  $684  per 
capita,  less  than  the  average  for  companies 
that  had  suffered  damages.  Companies  with 
more  than  a  half  million  in  damages  spent 
nearly  $1,500  per  head.  The  calculation  may 
be  primitive,  but  security  executives  are  clam¬ 
oring  for  any  objective  numbers  they  can  get 
their  hands  on.  At  the  very  least,  it’s  a  ballpark 
in  which  to  play. 

TO-DOs 

1.  Try  the  per  capita  security  expenditure 
calculation  in  your  enteiprise. 

2.  Compare  your  per  capita  expenditure 
to  the  average  in  your  industiy,  the  very 
confident  and  not  very  confident  groups, 
and  the  overall  average  of  $964. 


44  www.csoonline.com  October  2003 


Why 

No  One  Hits 
.400  Anymore 

The  late  naturalist  Stephen  Jay  Gould  con¬ 
tended  that  complex  systems  evolve  from  wild 
variation  in  their  youth  to  relative  uniformity 
in  maturity,  all  the  while  maintaining  an  over¬ 
all  constant  average  in  both.  To  make  his 
point,  Gould  used  baseball.  In  Full  House: 
The  Spread  of  Excellence  from  Plato  to  Dar¬ 
win,  he  noted  that,  throughout  the  history  of 
the  game,  the  aggregate  batting  average  of 
major-league  hitters  has  remained  constant  at 
about  .260,  but  that  there  used  to  be  a  much 
higher  incidence  of  .400  hitters  than  now. 
Ted  Williams  was  the  last  player  to  hit  over 
.400.  Prior  to  that,  Ty  Cobb  and  Rogers 
Hornsby  did  it  three  times  each. 

But  no  one  hits  .400  anymore,  despite  the 
fact  that  hitters  use  better  equipment  and 
have  access  to  advanced  training  technolo¬ 
gies.  The  reason,  Gould  asserted,  is  because 
everything,  notably  pitching  and  fielding,  has 
improved  around  them.  When  baseball  was 
young,  no  one  knew  the  best  way  to  pitch  or 
the  best  strategy  for  positioning  fielders.  Over 
time,  data  has  been  analyzed  and  best  prac¬ 
tices  have  emerged.  Everyone  gets  so  good  at 
what  they  do,  Gould  asserted,  that  there  is  less 
room  for  deviation  from  the  norm.  Indeed, 
batting  averages  increasingly  vary  less  and 
less  from  the  century-old  average  of  .260. 

Information  security  in  2003  is  where 
baseball  was  in  1922.  There’s  wild  variation  in 
how  well  companies  secure  their  enterprises. 
But  data  wall  accrete,  best  practices  will 
emerge,  information  security  will  normalize, 
and  everyone  will  move  toward  the  mean. 

Until  then,  however,  some  companies  are 
Ty  Cobb,  and  many,  many  others  can’t  bat 
their  weight.  ■ 


Budgets,  breaches  and  best 
practices.  Here’s  a  landscape 
perspective  on  “The  State  of 
information  Security  2003.” 


BUMP  UP  THE  BUDGET  Most 
companies  are  increasing  spending, 
and  many  security  budgets  that  were 
under  $100,000  last  year  are  more 
than  $100,000  this  year. 


COMPARED  TO  2002,  YOU  SECURITY  BUDGET 
IN  2003  WILL... 


Decrease 
significantly 

Decrease 
a  little 

Stay  the 
same 


Increase  a 
little 


Increase 
significantly 


STILL  UNDER  I.T.’S  THUMB 

Information  security  is  still  largely 
under  the  control  of  IT,  which  devotes 
to  security  11  cents  of  each  dollar  it 
spends. 


TO  WHOM  DOES  YOUR  SECURITY 
ORGANIZATION  REPORT? 


41% 


21% 


IT 
CIO 
CEO 
CSO 
CFO  §5% 


16% 


Other  12% 


INFOSECURITY  BUDGET  2002  VERSUS  2003 


Less  than  $10,000 

$10,000  to  $99,999 

$100,000  to  $1M 

More  than  $1M 


IS  INFORMATION  SECURITY  INCLUDED  IN  YOUR 
COMPANY’S  I.T.  BUDGET? 


AVERAGE  INFOSEC  BUDGET  AS  A  PERCENTAGE 
OF  THE  I.T.  BUDGET  FOR  2003 


Reach  Senior  Editor  Scott  Berinato  at  sberinato@cxo.com. 


Need  More  Data?  We’ve  Got  It. 

Check  out  CSO’s  exclusive  research  online,  including 
the  popular  “State  of  the  CSO”  survey.  Go  to 

www.csoonline.com/csoresearch. 


66  The  haystack  has 
gotten  loo  big  tolook 
for  needles  in  it.” 

-ANDREW  TONER 


October  2003  www.csoonline.com  45 


State  of  Security  Survey 


(cont.) 


HOWTO  MERGE  DISCIPLINES  Of 

the  companies  that  said  information 
security  and  physical  security  were 
integrated  at  their  companies,  nearly 
half  are  combining  them  via  policy. 

IS  PHYSICAL  SECURITY  INTEGRATED  WITH  I.T, 
SECURITY  IN  YOUR  ORGANIZATION? 


d 

g 

Yes 

s 

Ho 

72% 

28% 

FULL-TIME  HELP  More  than  half  of 
companies  devote  fewer  than  five  full¬ 
time  employees  to  information 
security. 

TOTAL  SALARIED  EMPLOYEES  DEDICATED  TO 
INFORMATION  SECURITY 


IF  YOU  ANSWERED  YES,  HOW  ARE  PHYSICAL 
AND  I.T.  SECURITY  INTEGRATED  AT  YOUR 
COMPANY? 


Both  IT  and 
physical 
security 
depart¬ 
ments 
report  to 
same  exec 


My  organization 
has  an 
IT/physical 
security 
committee 


IT  and 

physical  security 
policies/procedures 
are  integrated 


WISHFUL  THINKERS 

10%  of  respondents 
believe  that  100%  of  their 
users  are  in  compliance 
with  their  companies’ 
information  security 
policies,  while  24% 
neither  measured  nor 
reviewed  their  security 
policies. 


NEXT  YEAR’S  VAGUE  TO-DO  LIST 

The  most  prevalent  priorities  for  next 
year  were  the  most  general  security 
practices. 


TOP  THREE  SECURITY-RELATED 
ORGANIZATIONAL  PRIORITIES  FOR  NEXT  YEAR 


Raise  end  user  awareness  of  policy  and 
procedures 


Train  staff 


41% 


POLICY  HERE.  SPENDING  THERE 

For  the  most  part,  security  policy  and 
security  spending  are  controlled  by 
different  groups  or  individuals. 

IN  YOUR  ORGANIZATION,  WHO  IS  RESPONSIBLE 
FOR  SETTING  SECURITY  POLICY  AND  SPENDING 
LEVELS? 


CIO 


Head  of  infosec/IT 


37% 

19% 

CEO 


28% 

46% 


Security  22  /o 
administrators 

4% 


Infosec  committee 


20% 


6% 


cso 


19% 


7% 


CFO 


9% 

35% 


Business  unit  9% 
leader  8% 


Consultant 


8% 

2% 


Policy 

Spending 


f/o 

Other 

3% 


46  People  think  in  terms 
of  threats,  not  in  terms 
of  risk.” 

-T.  SEAN  MCCREARY 


Develop  security  policies  and  standards 


35% 


46  www.csoonline.com 


October  2003 


WOE  IS  US  In  a  category  where  they 
could  check  all  that  apply, 
respondents  weren't  shy  about  doing 
just  that  to  indicate  the  outside  forces 
that  make  their  jobs  hard.  Of  course, 
money  was  No.  1  on  the  list 


WHAT,  IN  YOUR  OPINION,  PRESENTS  A  BARRIER 
TO  GOOD  SECURITY  MEASURES  IN  YOUR 
ORGANIZATION? 

Limited  budget 

64% 


Lack  of  time  to  focus  on  security 
47% 


Lack  of  staff  dedicated  to  security 
39% 


Lack  of  security  training/awareness 
32%P*™ 


Lack  of  support  from  executive  mgmt. 
27% 

Complex  technology  infrastructure 
27% 

Unqualified  IT/security  staff 


24% 


Lack  of  cooperation  between  groups 


24% 


Poorly  defined  policy 
22% 

Lack  of  mature  tools/technology 
20% 


Poorly  designed  and/or  built  IT  infrastructure 
19% 

Lack  of  collaboration  between  physical  and 
information  security  teams 

14% 


BEST  PRACTICES-PRIVACY  A  list 
of  the  most  common  and  least 
common  best  practices  employed  to 
ensure  privacy. 

MY  ORGANIZATION  EMPLOYS  THE  FOLLOWING 
DATA  PRIVACY  SAFEGUARDS: 

MOST  COMMON 

Inform  employees  of  privacy  policy  and  behavior 
75% 

Encrypted  transmission  of  data 
54% 

Role-based  access  control 
53% 


“  Having  the  CISO 
reportTo  IT.  it’s  a 
deathblow.’ 

-BILL  SPERNOW 


LEAST  COMMON 

Adoption  of  regulatory  requirements 
30% 


Third-party  assessment/verification 
24% 

Chief  privacy  officer/data  protection 
commissioner 


BEST  PRACTICES— SECURITY 
TECHNOLOGY  A  list  of  the  most 
common  and  least  common  tools 
employed  to  ensure  security. 


MY  ORGANIZATION  EMPLOYS  THE  FOLLOWING 
TOOLS  TO  IDENTIFY,  MITIGATE  AND  ADDRESS 
VULNERABILITIES: 


MOST  COMMON 

Virus  detection 


93% 

User  passwords 

89% 

wM 

mm 

Network  firewalls 

82% 

LEAST  COMMON 

PDA  security 
9% 

Biometrics 

5% 

Testing  for  system  policy  compliance 
0% 


BEST  PRACTICES— SECURITY 
POLICY  A  list  of  the  most  common 
and  least  common  best  practices 
employed  to  safeguard  information. 

MY  ORGANIZATION  EMPLOYS  THE  FOLLOWING 
INFORMATION  SECURITY  SAFEGUARDS: 

MOST  COMMON 

Have  formal  processes  for  business 
continuity/disaster  recovery 
65% 


Have  formal  processes  for  incident  response 
54% 


Have  a  process  for  evaluating  risks  and 
vulnerabilities  on  a  regular  basis 

49% 


LEAST  COMMON 

Information  security  reports  to  a  group  or 
individual  outside  of  IT 
24% 

Have  a  process  to  evaluate  ROI  for  security 
initiatives 
14% 

Developed  a  process  to  calculate  the  cost  of  a 
security  breach 
12% 


October  2003  www.csoonline.com 


47 


ENTERPRISE 
VALUE  RETREAT 

&  AWARDS  CEREMONY^ 


FEBRUARY  8  -  10,  2004 

TRUMP  INTERNATIONAL  SONESTA  BEACH  RESORT 
SUNNY  ISLES  BEACH,  FLORIDA 


This  is  the  event  for  CIOs  who  are  concerned  with 
articulating,  delivering  and  demonstrating  the  value  IT 
brings  to  the  enterprise.  While  some  pundits  say  IT  is  only  a 
commodity,  we  believe  IT  continues  to  be  at  the  forefront  in 
increasing  your  competitive  advantage.  To  give  you  more 
ways  of  looking  at  IT  value,  we  incorporate  research  and  case 
studies  from  Peter  Weill’s  work  at  MIT  Sloan  School  of 
Management.  We  put  you  together  with  CIOs  who  are  the 
winners  of  this  year’s  CIO  Enterprise  Value  Awards. 

And  we  give  you  the  opportunity  to  learn  from  each  other. 


Call  800.355.0246  or  visit  us  at  www.cio.com/conferences 


Publishing 

Advertising  Si^pplement 
lV  W  x 


^INFORMATION: 

GETTING  ALL  YOU  CAN 
FROM  YOUR  MOS!*^ 
HflBWjRTANT  ASSET  P.4 


DATA  MANAGEMENT 
IN  A  ZERO-LATENCY 


ING  BUSINESS 


©  2003  Storage  Technology  Corporation,  Louisville,  CO.  All  rights  reserved.  StorageTek,  the  StorageTek  logo 
and  Save  the  Day  are  either  trademarks  or  registered  trademarks  of  Storage  Technology  Corporation. 


I  can't  pull  all-nighters  every  night. 


Thing  is,  our  backup  and  recovery  system  has  to. 


It  can't  rest. 


Not  even  for  a  second. 


Not  if  I  hope  to  get  some  myself. 


Make  sure  your  data's  always  safe  and  you'll  save  yourself  a  lot  of  worry.  And  work.  One  way  is  with  EchoView™.  A  potent,  new  data- 


protection  appliance  that  continually  captures  and  journals  data  as  soon  as  it's  written,  for  nonstop  protection.  And  EchoView™  provides 


EchoView" 


rapid  recovery  to  any  point  in  time,  to  keep  business  humming.  So  while  your  systems  may  be  disrupted,  your  nights  won't  be. 
Learn  all  the  ways  we  can  help  you  at  www.savetheday.com.  ^3  StorageTek *  Save  the  Day." 


\ 


CIO  ADVERTISING  SUPPLEMENT 


DATA  AND  STORAGE  SOLDTIONS  [ AGENDA 

STORAGE  SOLUTIONS: 

SAVE  THIS  EDITION 


While  on  the  topic  of  stor¬ 
age,  let  me  give  you  a 
piece  of  sound  advice: 
hold  onto  this  particular 
Strategic  Directions  edi¬ 
tion.  Get  extra  copies  if 
you  have  to,,  and  lock 
some  away  in  a  safe 
place  for  later  retrieval 
and  reference.  Whatever  you  do,  don’t 
let  this  issue  fall  into  die  desktop  pile  of 
to-be-reads  that  never  gets  read. 

Because  of  all  the  key  topics  we 
could  be  exploring  (and,  hey,  in  the 
Strategic  Directions  series,  they’re  all 
key  topics),  none  is  any  more  front- 
and-center  and  of-the-moment  than 
data  storage  and  management. 

Excuse  me.  Make  that  “Data  and 


BY  TOM  FIELD 

Storage  Solutions”  because,  really, 
that’s  what  we’re  here  to  discuss:  new 
ways  to  tackle  the  ever-growing  prob¬ 
lem  of  storing  and  securing  all  this  vital 
data  we  collect. 

At  a  time  when  CIO  Magazine’s 
annual  “State  of  the  CIO”  survey 
reveals  integration,  cost-reduction, 
alignment  and  security  as  the  top  four 
priorities  challenging  IT  leaders,  stor¬ 
age  cuts  to  the  heart  of  each  of  them. 
In  this  age  of  electronic  commerce, 
data  is  the  coin  of  the  realm.  Integrat¬ 
ing  and  securing  this  data  in  the  most 
cost-efficient,  business-driven  manner 
possible — that’s  the  task  entrusted  to 
IT  leaders.  And  it’s  the  mission  of  this 


critical  Strategic  Directions  edition  to 
offer  new  strategies  and  solutions  on 
such  core  topics  as: 

■  Talcing  stock  of  information  assets; 

■  Maximizing  data  investment; 

■  Dealing  with  unstructured  data; 

■  Storage  management  technologies 
and  techniques; 

■  The  ROI  of  data  management. 

By  no  means  is  this  Strategic  Direc¬ 
tions  edition  the  last  word  on  storage 
management,  but  I’d  like  to  think  it 
furthers  the  conversation  greatly. 

About  Strategic  Directions:  As 
you  know,  Strategic  Directions  is  the 
ongoing  series  of  CIO  Magazine  sup¬ 
plements,  produced  by  CIO’s  Cus¬ 
tom  Publishing  group,  focusing  on 
the  key  business-critical  technologies 
and  solutions  of  the  day.  Through 
research,  analysis,  case  studies  and 
vendor  profiles.  Strategic  Directions 
provides  an  executive-level  primer  to 
the  hot  topics  on  the  minds  of  senior 
IT  and  business  leaders. 

Please  let  us  know  what  you 
think — about  Strategic  Directions  in 
general,  this  edition  in  particular,  and 
ideas  you’d  like  us  to  tackle  in  future 
editions.  Got  any  storage  manage¬ 
ment  best-practices  you’d  like  to 
share  with  other  IT/business  leaders? 
Send  them  to  me;  I’ll  pass  them 
along  in  our  next  issue. 

Thanks  for  reading  Strategic 
Directions.  And  thanks  in  advance  for 
writing  in  with  your  feedback. 

Tom  Field 

Director  of  Content  Development 

CXO  Media  Custom  Publishing 

Tfield@cxo.com 


READER  FORUM 

To  the  Editor: 

This  issue  on  Security  takes  home  the 
trophy.  In  fact,  you  could  do  all  four 
issues  this  year  on  the  changing  face  of 
security  in  technology  —the  corporate 
environment  includes  all  forms  of  tech 
innovation  from  PDA  and  tablet  PC  to 
cell  phone  hybrid  with  internet  access. 
I’m  particularly  interested  in  the  vul¬ 
nerabilities  of  satellite  connections  and 
extended  range  wi-fi  (from  7  miles  to  30 
miles). 

It’s  a  winner.  Congrats.  I’m  using  it 
rather  than  just  reading  it  with  interest 
as  with  most  other  CIO  issues. 

Dick  Bouslough 
IS  Dir 

Forest  Home  Inc. 


To  the  Editor: 

Just  catching  up  on  my  reading  and 
caught  your  article  on  Outsourcing  in 
the  Strategic  Directions  series  in  the 
June  15  CIO  magazine.  The  tips  in  the 
article  are  right  in  line  with  my  thinking 
and  our  experience  managing  a  SI  bil¬ 
lion  outsourcing  deal  with  Unisys  Corp. 
as  our  partner.  Particularly  liked  the 
line  about  outsourcing  being  an 
engagement  -  “...for  it  to  succeed  then 
parties  on  both  sides  of  the  deal  have  to 
remain  fully  engaged”. 

Keep  up  the  good  work! 

Pat  Schambach 

Assistant  Administrator  and  CIO 
Transportation  Security  Administration 
U.S.  Department  of  Homeland  Security 


STRATEGIC  DIRECTIONS  3 


CIO  ADVERTISING  SUPPLEMENT 


DATA  AND  STORAGE  SOLDTIONS  I  INFORMATION 


INFORMATION: 

GETTING  ALL  YOU  CAN  FROM 
YOUR  MOST  IMPORTANT  ASSET 


xtracting  more  value  from 
existing  resources,  in  partic¬ 
ular  data  and  storage  assets, 
is  a  top-of-mind  challenge 
for  CIOs,”  says  Guido  Sac- 
chi,  chief  information  officer 
of  credit  card  provider 
CompuCredit. 

To  make  it  happen,  you 
have  to  pull  more  value 
from  your  existing  IT  infrastructure  and 
stretch  legacy  technologies  and  applica¬ 
tions  to  fit  new  demands. 

“The  first  step  for  IT  departments 


should  be  to  devise  a  clear  strategy  for 
informational  assets,  focused  on  archi¬ 
tecture,”  Sacchi  says.  “Architectural 
design  is  the  key  to  unlocking  value, 
and  it  helps  the  organization  define 
where  true  business  value  resides  and 
what  can  be  considered  a  ‘utility’.” 


What  will  it  take?  Here’s  die  short  list: 
■  OWN  YOUR  STRATEGY  AND  YOUR 
ARCHITECTURE.  It’s  critical  for  CIOs  to 
demonstrate  leadership  so  that  precious 
budget  dollars  are  not  spent  in  unneces¬ 
sary  investments,  says  Sacchi.  “Engage 
vendors  in  implementing  an  effective 
architectural  design  driven  by  the  com¬ 
pany’s  business  model  and  demand  for 
informational  assets.  CIOs  should 
implement  what  they  have  designed 
and  be  the  owners  of  critical  business 
knowledge,  as  opposed  to  abdicating 
this  responsibility  to  vendors.” 


■  APPLY  ASSET  MANAGEMENT  PRINCIPLES. 

“It’s  striking  that  many  people  talk 
about  data  as  an  asset  yet  forget  to 
apply  fundamental  asset  management 
principles,”  says  Sacchi.  For  example, 
one  of  the  main  tasks  for  IT  depart¬ 
ments  should  be  to  understand  the 


criticality  of  informational  assets.  This 
approach  has  inspired  a  deep  under¬ 
standing  of  data  criticality  at  Compu¬ 
Credit  and  has  led  to  more  than 
$500,000  worth  of  freed-up  capacity 
in  just  the  first  six  months  of  the  new 
strategy’s  execution.  As  a  result,  Com¬ 
puCredit  completed  an  acquisition 
without  additional  capital  investments 
in  storage  resources. 

■  KEEP  IN  MIND  DATA,  STORAGE  AND  BUSI¬ 
NESS  CONTINUITY  POLICIES.  “Every 
organization  should  have  at  least  min¬ 
imal  policies  relating  to  retention  and 
expiration  of  files  on  online,  near-line 
and  offline  storage  systems,”  explains 
Hernan  Alvarez,  vice  president  of 
infrastructure  at  the  mobile-media 
company  Mobliss,  Inc.  “Nearly  every 
element  should  be  included.”  Impor¬ 
tant  ones  include  data  lifecycle  and 
recovery  priority.  The  data  manage¬ 
ment  plan  needs  to  be  tightly  inte¬ 
grated  with  any  disaster  recovery  plan. 
As  the  business  grows,  the  data  man¬ 
agement  plan  will  change,  and  disas¬ 
ter  recovery  needs  to  follow.  If  the 
two  are  out  of  sync,  mean  time  to 
recovery  will  be  greater  than  the  busi¬ 
ness  can  withstand  without  unaccept¬ 
able  cost,  and  data  loss  may  occur. 


“EXTRACTING  MORE  VALUE _ 

FROM  EXISTING  RESOURCES,  IN 
PARTICULAR  DATA  AND  STORAGE 

ASSETS,  IS  A  TOP-OF-MIND _ 

CHALLENGE  FOR  CIOs.” _ 

—  GUIDO  SACCHI,  CIO,  COMPUCREDIT 


4  STUIESIC  DIRECTIONS 


CIO  ADVERTISING  SUPPLEMENT 


DATA  AND  STORAGE  SOLPTIDNS  [ INFORMATION 

“THE  AMOUNT  OF  UNSTRUCTURED 
DATA  IN  ORGANIZATIONS  IS  NOW  SIG¬ 
NIFICANTLY  LARGER  THAN  THE _ 

AMOUNT  OF  STRUCTURED  DATA.” _ 

—BILL  RUH,  SR.  VP,  PROFESSIONAL  SERVICES,  SOFTWARE  AG 


■  CONSOLIDATE  INFORMATION  RESOURCES. 

Decision  makers  can’t  get  an  enterprise¬ 
wide  view  of  the  business  if  vital  infor¬ 
mation  is  scattered  and  difficult  to 
obtain.  Sometimes  consolidation  means 
integrating  physical  resources — data, 
applications — and  revamping  business 
processes.  Sometimes  it  means  re -archi¬ 
tecting  infrastructure.  Sometimes  it 
means  virtualization.  For  many  organi¬ 
zations,  consolidation  means  upping 
the  ante  when  it  comes  to  managing 
data,  which  must  be  synchronized, 
transformed  and  integrated  from  mul¬ 
tiple  systems.  Such  integrated  data  may 
reside  in  a  virtual  database,  a  very  large 
centralized  database  or  a  distributed, 
networked  system  based  on  Web  serv¬ 
ices  standards  like  XML  (extensible 
markup  language). 

■  INVEST  IN  STRUCTURED  AND  UNSTRUC¬ 
TURED  DATA  MANAGEMENT.  Data  man¬ 
agement  investments  can  boost  produc¬ 
tivity,  make  customer-satisfaction  work 
more  valuable  and  efficient,  and  insti¬ 
tute  a  single,  topside  view  of  the  busi¬ 
ness.  The  challenge:  keeping  databases 
manageable  as  they  grow  to  petabyte- 
plus  sizes  while  responding  to  a  push  for 
zero-latency  business  processes  as  well. 
It  can  be  accomplished  with  increasing¬ 
ly  sophisticated  database  design  and 
management  tools,  as  well  as  ubiquitous 
standards  and  faster  interconnections 
that  can  move  data  quickly  among  a 
multitude  of  legacy  systems.  Getting  the 
most  out  of  all  corporate  resources  also 
means  finding  more  fruitful  ways  to 
exploit  die  knowledge  contained  in  the 
vast  amounts  of  unstructured  data  (doc¬ 
uments,  for  example)  that  every  organ¬ 
ization  produces.  IT  has  to  boost  end 
users’  ability  to  access  that  data — 
through  portals,  which  serve  as  a  stan¬ 
dard  interface  that  may  be  centrally 
managed,  and  new  kinds  of  search  capa¬ 
bilities.  Of  course,  all  this  data  must  be 
stored  efficiently  and  safely  even  as  data 


volumes  continue  to  explode.  Storage 
networking,  consolidation  and  resource 
management  solutions  that  exploit  open 
standards  to  ease  administrative  costs 
and  infrastructure  complexity  are 
among  the  answers  many  organizations 
are  exploring. 

■  DON’T  FORGET  ABOUT  SECURITY. 

“Often,  a  database  is  secured  very  well, 
but  an  extract  or  backup  copy  has  very 
little  security,”  notes  Bob  Venable, 
manager  of  enterprise  systems  at  Blue 
Cross  and  Blue  Shield  of  Tennessee. 
“We  need  to  keep  up,  so  we  need  secu¬ 
rity  that  follows  data  and  ways  to  iden¬ 
tify  what’s  inside  a  file.” 

■  MAKE  IT  A  UTILITY.  The  ability  to  fine- 
tune  IT  resources  in  immediate  response 
to  changing  business  conditions  can 
lower  costs  and  save  time.  The  idea  is  to 
model  tire  corporate  IT  function  after  a 
utility:  services  are  delivered  transparent¬ 
ly,  without  interruption,  so  end  users  can 
focus  on  die  business  task  at  hand  rather 
than  the  twists  and  turns  of  technology. 
Utility  computing  empowers  IT  depart¬ 
ments  to  offer  usage-based  chargebacks. 
Different  user  needs  are  met  with  vary¬ 
ing  levels  of  service  and  availability  that 
can  be  formalized  with  service-level 
agreements.  The  resulting  accountabili¬ 
ty  means  that  IT  can  more  efficiently 
allocate  assets  and  control  costs,  track 
changing  user  needs  with  greater  preci¬ 
sion,  and  fashion  and  exploit  a  more  flex¬ 
ible  infrastructure  with  better-planned 
hardware  and  software  deployments.  It 


can  also  align  itself  more  closely  wirii  the 
goals  of  individual  business  units  and  the 
company  overall. 

■  REDUCE  THE  COSTS  OF  TECHNOLOGY 
OWNERSHIP.  As  more  information  tech¬ 
nologies  become  commoditized,  it’s 
critical  to  distinguish  between  IT  activ¬ 
ities  that  are  a  necessary  cost  of  doing 
business  and  those  that  can  induce 
strategic  leverage.  “Remember  to  count 
in  problem  diagnosis  and  resolution,” 
says  Venable.  “Finding  a  problem  can 
take  a  lot  of  time  and  will  be  put  off  by 
busy  people,  resulting  in  downtime 
that’s  possibly  longer  and  more  costly 
than  paying  to  avoid  the  problem  on 
the  front  end.”  Ways  to  trim  the  costs 
of  nonstrategic  technologies  include: 

•  Componentization.  Breaking  up 
enterprise  application  suites  into 
smaller,  more  easily  digestible  pieces 
that  are  implemented  gradually  in 
stages  can  generate  a  more  granular 
return  on  investment  (ROI). 

•  Standardization.  Open  standards  in 
data  management  and  storage  net¬ 
working  can  ease  the  struggle  to  inte¬ 
grate  data  and  applications,  and 
transport  data  between  incompatible 
platforms. 

•  Outsourcing.  Non-core  business 
functions,  such  as  payroll  or  purchas¬ 
ing  non-production  goods,  can  be 
handed  off  to  specialists  who  do  it  for 
less  than  you  can. 

•  Bundling  services.  Negotiating  serv¬ 
ice  contracts  as  part  of  other  purchas¬ 
es  can  save  you,  well,  a  bundle.  SD 


STRATEGIC  DIRECTIONS  5 


CIO  ADVERTISING  SUPPLEMENT 


DATA  AND  STORAGE  SOLUTIONS |  DATA  MANflGEMEHT 

DATA  MANAGEMENT 

IN  A  ZERO-LATENCY  WORLD 


The  value  of  the  topside  per¬ 
spective — the  famous  360- 
degree  view  of  the  customer, 
the  enterprise-wide  view  of 
the  business — is  undisputed. 
But  generally,  a  topside  view 
requires  lots  of  data  from 
many  sources,  and  putting  it 
all  together  is  hindered  by  a  lack  of  stan¬ 
dards  and  databases  designed  for  single¬ 
shot  operational  functions.  Meanwhile, 
mixed- workload  environments  that  com¬ 
bine  operational  as  well  as  analytic  and 
decision-support  functions  strain  legacy 
systems  that  few  can  afford  to  abandon. 

Thus,  two  issues  rise  to  the  fore  in 
data  management:  integration  and 
scalability. 

Integration  is  the  merging,  cleans¬ 
ing  and  standardization  of  data  and/or 
the  integration  of  data  silos.  This  is 
part  of  a  larger  movement  toward 
enterprise  integration  that  will  be 
implemented  with  several  kinds  of 
solutions.  According  to  the  research 
firm  Gartner,  enterprise  integration 
now  consumes  about  35  percent  of 
total  IT  spending,  as  solutions  move 
toward  what  Gartner  calls  the  “service- 
oriented  architecture” — IT  infrastruc¬ 
ture  functionality  exposed  as  services 
accessed  through  well-documented 
interfaces,  and  business  data  and  logic 
shared  among  multiple  applications, 
enabling  reuse  of  services  and  relieving 
developers  of  the  need  to  handle  back¬ 
end  implementation  minutiae. 

Scalability  means  ensuring  that  hard¬ 
ware,  software  and  networks  can  reliably 
and  efficiently  deal  with  increasing 


amounts  of  data  and  quickly  evolving 
business  demands.  Developments  in  hard¬ 
ware  are  making  it  easier  to  scale  databas¬ 
es  to  the  burgeoning  needs  of  end  users. 
Commodity  systems  arrayed  in  a  rack  of 
“blades”  can  be  amassed  by  the  tens,  or 
by  the  thousands,  rivaling  the  power  of 
symmetric  multiprocessors  but  at  less  cost. 
And  networked  storage — notably  storage 
area  networks,  with  or  without  links  to 
network  attached  storage — makes  possi¬ 
ble  die  centralized  management  of  stored 
data  independent  of  the  systems  and 
applications  that  access  them. 

“Most  database  environments 
will  grow  way  in  excess  of  what  any¬ 
one  thought  they  would  at  the  time 
of  original  design  and  purchase,”  says 
Bob  Venable,  manager  of  enterprise 
systems  at  Blue  Cross  and  Blue  Shield 
of  Tennessee.  “When  it  comes  to  seal- 
ability,  think  in  terms  of  total  edge- 
to-edge  performance,  from  the  enter 
key  on  end-user  PCs  to  Ethernet 
communications  lines  to  servers  to 
disk.  Remember,  it’s  about  true  end- 
to-end  performance.” 

IT’S  ABOUT  THE  BUSINESS 

Driving  data  integration  is  a  mounting 
need  to  deliver  unto  decision  makers  die 
best  possible  information  to  do  their  jobs. 

“No  data  is  standalone  anymore,” 
Venable  says.  “Almost  everyone  has  over¬ 
lapping  business  processes  that  share  data. 
Avoiding  data  duplication  and  accidental 
old  data  copy  utilization  is  important.” 

This  means  bringing  together  data 
from  multiple,  often  incompatible  appli¬ 
cations,  legacy  systems,  enterprise  resource 


planning  (EBT)  systems,  flat  files  and 
more.  Gartner  estimates  that  migrating 
legacy  data  sources  can  eat  up  more  than 
20  times  the  effort  and  resources  required 
to  deploy  an  ERP  application. 

Data  integration  can  be  about 
some  or  all  of  these: 

■  Extract,  transform  and  load  (ETL) 
functions  that  pull  information  from 
databases 

■  Enterprise  application  integration 
(EAI)  tools  that  allow  applications  to 
interact  and  pool  data  across  platform 
environments 

■  Web  services  that  permit  one  app  to 
extract  and  manipulate  data  from 
another. 

DOING  THE  DIRTY  WORK 

Key  to  data  integration  is  clean,  usable 
data.  The  Data  Warehousing  Institute 
estimates  that  poor  data  quality  costs 
U.S.  businesses  more  than  $600  bil¬ 
lion  a  year  in  printing,  postage  and 
staff  overhead,  among  other  expenses. 
Analysts  at  Gartner  expect  that  over 
the  next  three  years,  at  least  50  per¬ 
cent  of  data  warehouse  projects  will 
fail  to  achieve  their  desired  results  due 
to  data  quality  problems. 

Data  cleansing  tools,  which  integrate 
with  ERP,  CRM  and  other  business  intel¬ 
ligence  solutions,  clean  up  mailing  lists  or 
customer  databases  by  searching  for  and 
correcting  duplicate  or  incorrect  address¬ 
es,  for  instance,  or  checking  for  mis¬ 
spellings  or  spelling  variations.  They  can 
identify  miscategorized  data  and  apply 
customizable  rules  to  ensure  that  the  data 
entered  is  appropriate. 


6STRATEGIC  DIRECTIONS 


Bob  was 
drowning  in 
email  compliance 


issues. 


Now  he’s 
breathing 
easier. 


Thanks  to  LEGATO,  he  can  do  his  real  job. 

You  need  an  efficient  way  to  manage  risk.  LEGATO’s  EmailXtender®  suite 
simplifies  email  compliance.  It  captures,  organizes,  archives  and  provides 
immediate  access  to  email  and  instant  messages.  So  you  can  keep  your 
head  above  water  when  it  comes  to  compliance  issues.  Problem  Solved. 

For  more  information,  visitwww.legato.com  or  call  1-888-853-4286. 

@  LEGATO 


LEGATO,  the  LEGATO  logo  and  EmailXtender  are  registered  trademarks  of  LEGATO  Systems,  Inc. 


CIO  ADVERTISING  SUPPLEMENT 


DATA  AND  STORAGE  SOLDTIONS  I  DATA  MANAGEMENT 


ETL  TODAY 

From  their  beginnings  extracting  rela¬ 
tional  data,  transforming  it  into  a  standard 
format  and  loading  it  into  a  data  ware¬ 
house,  ETL  tools  have  evolved  into 
instruments  of  data  integration,  pulling 
data  from  operational  systems  and  all 
manner  of  applications.  To  combat  such 
challenges  as  overwhelming  data  volumes, 
poor  data  quality,  incompatible  metadata 
management  schemes  and  slow  data 
transformation  rates,  vendors  like  Ascen- 
tial  offer  integration  suites  that  take  on  not 
just  ETL  chores  but  also  data  profiling, 
metadata  management  and  data  quality. 

ETL  products  can  also  help  organ¬ 
izations  do  data  integration  on  the  fly, 
supporting  multiple  data  formats  along 
the  way.  Uniboard,  a  Canadian  manu¬ 
facturer,  expects  to  save  $200,000  over 
the  next  two  years  using  XML  Global 


Technologies’  GoXML  Transform, 
which  maps  between  complex  formats 
such  as  EDI,  X12,  HIPAA,  SWIFT  and 
XML  without  custom  coding. 

UNTANGLING  APPLICATION  SPAGHETTI: 
ENTERPRISE  APPLICATION  INTEGRATION 

Too  often,  changing  business  conditions 
force  organizations  to  enhance  their  IT 
infrastructures  by  means  of  standalone 
applications  that  were  not  designed  to 
be  integrated  with  any  other  systems.  In 
order  to  share  information  throughout 
the  enterprise,  they  typically  turn  to  cus¬ 
tomized  interfaces  that  allow  for  point- 
to-point  integration — and  in  the  process 
end  up  with  application  spaghetti,  a  tan¬ 
gle  of  interfaces. 

To  untangle  the  mess,  enterprise 
application  integration  (EAI)  systems  use 
generic  mechanisms  and  well-defined 


interfaces  to  connect  existing  applications 
and  leverage  multiple  systems,  generating  a 
consolidated  view  of  data.  Because  they’re 
strategic  initiatives,  EAI  typically  involves 
designing  an  enterprise -wide  framework 
that  incorporates  process  definitions  and 
business  process  reengineering  and  that 
embraces  existing  and  future  systems. 

northAmerican  Logistics  (nAL), 
for  example,  claims  it  saved  more  than 
$1.5  million  over  four  years  using  Soft¬ 
ware  AG’s  integration  server,  EntireX, 
to  build  a  fully  automated  supply  chain 
that  processes  all  data  exchanged  with 
customers  and  partners  via  XML. 
Order-processing  costs  and  expenses 
for  the  maintenance  and  development 
of  its  IT  architecture  were  reduced  as 
well.  In  fact,  nAL  estimates  that  for 
every  $1  invested  in  EntireX,  it 
achieved  a  net  benefit  of  $5.49. 


CASE  STUDY 


COMPUCREDIT’S  ENTERPRISE  DATA  ARCHITECTURE  SOLVES  APPLICATION  INTEGRATION  AND 
INTEROPERABILITY,  DRIVES  SUCCESS 


highly-successful  direct  marketer  of  branded  credit 
cards  and  fee-based  products,  CompuCredit’s  competi¬ 
tive  advantage  is  based  on  the  sophistication  of  its  ana¬ 
lytical  techniques,  risk  and  decisioning  models— espe¬ 
cially  the  acquisition  and  servicing  of  credit  card  receiv¬ 
ables  portfolios. 

Not  surprisingly,  the  delivery  of  quality  informa¬ 
tion — on-demand— is  critical  to  the  success  of 
CompuCredit’s  1,500  employees.  So  when 
CompuCredit’s  forward-thinking  CIO,  Guido  Sacchi,  realized  soon  after  join¬ 
ing  the  firm  that  CompuCredit’s  underlying  IT  infrastructure— particularly 
its  data  architecture— was  in  need  of  a  serious  overhaul,  he  took  up  the 
challenge  and  began  the  process  of  building  an  enterprise  data  architec¬ 
ture  that  would  enable  and  sustain  the  firm’s  successful  business  model. 

XML  GATEWAY:  KEY  TO  SMOOTH  FLOWING  DATA 

After  evaluating  a  number  of  design  alternatives,  says  Sacchi,  CompuCredit 
decided  open  standards,  an  XML  architecture  and  an  investment  in  web 
services  would  be  the  best  way  to  achieve  its  goal  of  a  truly  supportive 
enterprise  data  architecture  that  solves  the  problem  of  enterprise  appli¬ 
cation  integration  and  interoperability.  CompuCredit  next  choose  Software 
AG  as  its  technology  partner  for  the  project. 

“We  shopped  around,  but  only  Software  AG  could  pull  together  these 
three  critical  elements:  open  standards,  an  XML  architecture  and  web 


fj  SOft  ID  FIRE  FIG 

THE  XML  COMPANY 


services,”  he  says.  “Software  AG  had  the  mature  tool  sets,  experience  and 
vision  we  needed— and  their  ability  to  transfer  knowledge  has  helped  us  to 
enhance  our  own  in-house  capabilities.” 

With  Software  AG’s  help,  CompuCredit  has  designed  for  itself  an  enter¬ 
prise  data  architecture  capable  of  delivering  the  complex  services  needed 

to  meet  the  challenges  of  its  dynamic  business 
environment.  At  the  core  of  the  flexible  and  scal¬ 
able  new  architecture  is  an  XML  Gateway.  A 
doorway  through  which  IT  provides  web  services 
on-demand  to  users’  desktops,  the  XML  Gateway  transparently  provides 
access  to  CompuCredit’s  disparate  data  sources  and  applications. 

ROLLING  OUT  BOTTOM  LINE  RESULTS 

As  the  time  nears  for  the  rollout  of  the  entire  new  enterprise  data  archi¬ 
tecture  into  production,  the  excitement,  says  Sacchi,  is  building. 

“IT  is  the  foundation  that  sustains  the  growth  strategy  of  the  company,” 
he  says,  “  buying  us  the  right  to  play  at  the  deal  table  with  an  advantage 
over  our  competitors.  And  it  allows  us  to  acquire  and  manage  portfolios 
more  effectively— if  I  can  deliver  a  one  percent  increase  for  our  collec¬ 
tions,  I’ll  add  $1  million  on  the  bottom  line.  That’s  big,”  adds  Sacchi. 
Agreed. 

For  more  information  contact  Gerda  Yearwood  of  Software  AG, 

Inc.  at  703-391-8295  or  gerda.yearwood@softwareagusa.com 


8 STRATEGIC  DIRECTIONS 


Web  Services 


If  I  deliver  a  1%  mere 
in  collections  I  add 
$1  million  to  my  co 
bottom  line. 


the  XML 


Guido  Sacchi ,  CIO 
CompuCredit 


Enterprise  Transaction  Systems 


Content  Management  Mobile  Computing 


CompuCredit's  robust  growth  strategy  requires  on-demand  delivery  of  quality 
information  to  more  efficiently  acquire  and  manage  credit  card  portfolios. 

That's  why  CIO  Guido  Sacchi  took  on  the  challenge  to  reduce  the  time  to 
service  new  portfolios  from  months  to  weeks  with  the  XML  Business  Gateway. 

Imagine  delivering  to  the  business  user's  desktop  a  single  view  of  information 
from  disparate  data  sources,  risk  models  and  collections  applications - 
right  when  they  need  it. 

Imagine  transforming  data  locked  into  complex  systems  into  real  intelligence 
that  propels  the  business  forward. 

Imagine  working  with  a  partner  who  has  over  30  years  experience  in  data 
management  including  the  early  shaping  and  development  of  XML. 

Guido  did.  And  now  both  he  and  CompuCredit  are  seeing  imagination  turn 
to  reality. 


Discover  the  XML  Effect. 

To  learn  more  about  Software  AG 
and  how  the  XML  effect  can  help 
you  unlock  data  assets,  visit 
www.softwareagusa.com  today. 


Q  Soft  HI  FIRE  RG 

THE  XML  COMPANY 


CIO  ADVERTISING  SUPPLEMENT 


DATA  AND  STORAGE  SOLDTIONS 


DATA  MANAGEMENT 


Likewise,  when  equipment  manu¬ 
facturer  John  Deere  undertook  a 
large-scale  implementation  of  SAP’s 
R/3  ERP  solution,  it  also  needed  a 
way  to  interface — in  real  time — with  a 
complicated  legacy  environment.  Mer¬ 
cator’s  Inside  Integrator  did  the  trick, 
cutting  the  costs  of  legacy  data  con¬ 
version  and  other  integration  tasks  by 
as  much  as  80  percent. 

DATA  INTEGRATION  WITH  EAI 

EAI  manages  a  host  of  tasks,  providing 
user  interaction  mechanisms  and  Web 
server-  or  application  server-hosted  busi¬ 
ness  logic  that  integrates  apps,  business 
processes  and  legacy  systems.  But  its  real 
focus  is  data  integration.  By  connecting 
diverse  databases  in  different  locations, 
an  EAI  hub— which  includes  data  trans¬ 
formation  and  messaging  components — 
offers  a  consolidated  view  of  business 


information.  The  hub  transports  data 
reliably  and  securely  between  databases 
in  a  consistent,  repeatable  way. 

Data  manipulation  is  directed  by  an 
EAI  solution’s  connectors  (based  on 
database  triggers,  event-driven,  etc.),  cre¬ 
ating  a  layer  of  abstraction  that  makes 
enhancements  and  maintenance  easier. 

There  are  several  implementation 
options  for  EAI: 

■  Buy  it.  Database-to-application  capa¬ 
bilities  are  available  from  Software  AG, 
IBM,  Oracle,  Sybase,  Computer  Asso¬ 
ciates,  Microsoft  and  Sun  Microsystems. 
EAI  tools  are  sold  by  BEA  Systems, 
Mercator,  SeeBeyond  Technology, 
TIBCO,  Vitria  and  webMethods. 

■  Build  it  (quickly).  Perhaps  better  suit¬ 
ed  to  shorter-term  projects  focusing  on 
data  integration  and  targeting  a  few  key 
applications;  thus,  the  number  of 
processes  and  techniques  to  be 


addressed  is  more  manageable  than 
with  some  large-scale  projects. 

■  Leverage  what  you’ve  got.  Instead  of 
investing  in  a  new  architecture,  expand 
your  application  server  functionality 
with  solutions  like  IBM’s  WebSphere  or 
BEA’s  WebLogic. 

GOME  TOGETHER:  XML  AND 
WED  SERVICES 

While  Web  services  pretty  much 
remain  a  pipedream,  a  lot  of  the  parts 
needed  to  pull  off  production  applica¬ 
tions  are  coming  together. 

■  Vendors  have  heartily  embraced  XML, 
the  key  enabling  standard.  Relational 
database  manufacturers  are  adding  XML 
data-handling  capabilities,  and  business 
giants  like  Wal-Mart  are  insisting  on 
XML  format  for  invoices  and  the  like. 
While  the  bulk  of  enterprise  data  resides 
in  file  systems  rather  than  in  relational 


NEW  SOLUTION 

LONG  &  FOSTER  FINDS  CONSOLIDATION  SAVINGS  WITH  COMMVAULT 


The  throughput  we’re  getting  with  Commvault’s  Backup  and 
Recovery  software  has  been  very  impressive,”  says  Chris 
Saben,  network  architect  at  real  estate  services  provider, 
Long  &  Foster.  “More  importantly,  it’s  given  us  the  comfort  level  we 
needed  to  go  forward  with  our  storage  consolidation  plans.” 

As  Saben  sees  it,  confidence  in  consolidating  is  quickly  lost  if  you 
can’t  restore  rapidly.  But  since  integrating  Commvault’s  Backup  and 
Recovery  software  for  Microsoft  Exchange  into  its  newly  installed 
23  terabyte  SAN,  Long  &  Foster’s  throughput  per¬ 
formance  has  surged  from  22  gigabytes  an  hour 
to  48  gigabytes  an  hour— reducing  backup  and 
restore  time  frames  considerably  and  opening 
the  door  for  storage  consolidation. 

“Capturing  our  primary  backups  onto  the  SAN 
means  we  can  stop  using  so  many  tapes,”  explains  Saben.  “By  back¬ 
ing  up  to  the  SAN  first,  we’re  reducing  our  backup  windows,  allowing 
us  to  back  up  more  servers  in  less  amount  of  time.  Then  during  the 
day,  those  backups  are  moved  off  the  SAN  into  our  large  tape  library 
for  both  long  term  and  off-site  storage.” 

BIGGER  DATABASES  YIELD  SMALLER  COSTS 

Moreover,  with  a  restore  time  of  48  gigabytes  per  hour,  Long  &  Foster 
can  now  comfortably  put  larger  Exchange  databases  on  its  servers 
and,  for  example,  cut  the  number  of  Exchange  servers  needed  to  han¬ 
dle  its  mailboxes  from  ten  to  three. 

"It’s  the  difference  between  spending  $60,000  versus  $200,000  on 
servers— that’s  a  huge  savings.  The  combination  of  Commvault’s 


QiNetix  data  management  tools  and  our  SAN  enables  us  to  realign  our 
assets,  to  better  meet  our  future  needs  without  forcing  us  to  make 
large  expenditures  in  infrastructure,”  notes  Saben. 

In  addition  to  the  big  benefits  of  high  throughput,  CommVault’s  deci¬ 
sion  to  drive  its  solution  off  an  SQL  engine,  says  Saben,  delivers  a 
more  robust  database  and  its  use  of  Windows  drivers  means  Long  & 
Foster  can  adapt  quickly  to  new  backup  technologies. 

Saben  also  credits  CommVault  Support  with  the  ability  to  take 
“ownership’  of  a  problem  and  anticipates  deploy¬ 
ing  QiNetix  software  to  solve  other  data  manage¬ 
ment  issues.  In  fact,  Long  &  Foster  already  have 
plans  to  use  QiNetix  DataMigrator  software  to 
make  archived  data  rapidly  accessible. 

“The  combination  of  Commvault’s  QiNetix  data 
management  tools  and  our  SAN  enables  us  to  realign  our  assets,  to 
better  meet  our  future  needs  without  forcing  us  to  make  large  expen¬ 
ditures  in  infrastructure,”  he  adds. 

Long  &  Foster  CIO  Michael  Koval  is  also  highly  impressed  with  the 
benefits  of  CommVault’s  Backup  and  Recovery  software. 

“Long  &  Foster  provides  the  most  robust  IS  support  in  the  real 
estate  business,  and  Commvault  offers  a  substantial  value  proposi¬ 
tion,  in  terms  of  performance  and  cost,  that  helps  Long  &  Foster  to 
maintain  its  lead  in  the  industry,”  he  says. 


For  more  information  on  Commvault  QiNetix  enterprise  data 
management  solutions  for  Windows,  UNIX,  Linux  and  Netware 
platforms,  visit  www.commvault.com. 


CommVault 

Systems 


lOSTRATEGIC  DIRECTIONS 


CIO  ADVERTISING  SUPPLEMENT 


DATA  AND  STORAGE  SOLDTIONS  C&D  MANAGEMENT 


CONTENT  AND 

DOCUMENT  MANAGEMENT: 

DEUING  WITH  IHSTRIIHIIREI  MTU 


databases,  hybrid  SQL/XML  databases 
signal  that  business  documents  will  no 
longer  be  beyond  the  reach  of  SQL- 
based  querying  and  analysis. 

■  The  two  competing  infrastructures — 
J2EE  (available  on  application  servers 
from  IBM,  Oracle,  Sun  Microsystems, 
Sybase  and  BEA)  and  Microsoft’s 
.NET — can  now  furnish  the  back-end 
conduits  that  connect  Web  services 
component  architectures. 

■  New  standards  supporting  a  range 
of  business  processes  across  diverse 
systems  and  database  environments 
are  emerging:  BPEL4WS  (Business 
Process  Executive  Language  for  Web 
Services),  WS-TX  (Web  Services 
Transactions)  and  WS-C  (Web  Ser¬ 
vices  Coordination),  as  well  as  initia¬ 
tives  by  Web  services  standards  bod¬ 
ies  such  as  XML  Digital  Signatures 
and  Security  Assertion  Markup  Lan¬ 
guage  (SAML). 

■  Standards  addressing  Web  services 
development  will  ease  data  integration 
challenges.  The  ANSI  SQL/XML  stan¬ 
dard,  for  instance,  transforms  data 
between  XML  and  SQL  formats  so  that 
developers  can  write  one  XML  application 
that  will  work  across  multiple  relational 
databases  without  specialized  knowledge 
of  database  vendors’  XML  extensions. 

Some  worry  that  its  overhead — text 
strings  rather  than  binary — make  XML 
transmissions  too  bulky  and  slow  for 
real-time  applications.  Yet  for  the  85 
percent  of  apps  that  don’t  require  real¬ 
time  performance,  XML  will  have  an 
enormous  impact  as  vendors  and  their 
customers  develop  XML-enabled  data 
architectures.  Consider  Bosch  Rexroth, 
a  maker  of  electric  drives  and  controls 
and  hydraulics.  After  it  turned  to  Soft¬ 
ware  AG’s  Tamino  XML  server  to  house 
all  product  information  and  integrate 
databases  of  images  and  technical  tables, 
its  cross-media  publishing  tasks — such  as 
catalogs  and  brochures — became  so 
much  more  efficient  that  the  system 
paid  for  itself  in  18  months.  SD 


Most  of  the  information  that 
drives  the  business  still 
resides  in  non-relational 
applications.  It’s  unstruc¬ 
tured  data  that  cannot  be 
transformed  into  intelli¬ 
gence  using  the  same  tools 
and  techniques  that  have 
traditionally  worked  on  structured  data. 

And  there’s  plenty  of  it  too:  At  the 
end  of 2001,  more  than  3  billion  docu¬ 
ments  could  be  accessed  on  the  public 
Internet,  a  volume  that,  according  to 


search  engine  Google,  is  doubling  every 
eight  months.  No  wonder  employees 
spend  more  time  gathering  information 
than  using  it. 

ENTERPRISE  CONTENT  MANAGEMENT 

The  challenge:  To  enhance  the  quality 
and  longevity  of  information  that 
resides  in  documents,  yet  keep  the  con¬ 
tent  accurate,  complete,  up-to-date, 
easy  to  access  and  relevant. 

This  can  be  accomplished  using 
content  management  systems  (CMS) 
that  handle  interactive  formatting, 
content  modification  and  distribu¬ 
tion.  CMSs  use  standard,  vendor- neu¬ 
tral  techniques  and  separate  produc¬ 
tion  and  distribution  environments. 


Content  management  solutions  usu¬ 
ally  accelerate  information  delivery 
cycles,  permit  multiple  output  chan¬ 
nels  as  well  as  information  personal¬ 
ization  and  make  content  easier  to 
locate  and  use. 

Among  the  capabilities  CMSs  can 
spread  enterprise-wide: 

■  Furnish  a  common  interface  for  all 
content  types,  structured,  unstructured 
and  image-based; 

■  Tag  metadata  via  automated  document 
categorization  and  summarization; 


■  Control  document  versioning,  access 
and  the  ability  to  edit  based  on  job 
function; 

■  Use  document  workflow  rules  to 
ensure  accuracy; 

■  Establish  time  limits  on  how  long 
information  stays  online  and  automati¬ 
cally  update  linked  documents  after 
changes. 

■  Consider  the  city  of  Munich,  Germany, 
wfoose  planners  chose  Software  AG’s 
Tamino  XML  server  and  a  Web  portal  to 
cope  with  an  out-of-control  document 
volume.  The  server  manages  document 
metadata  and  controls  portal  communi¬ 
cation.  With  the  CMS,  document  pro¬ 
cessing  times  have  been  cut  by  between 
25  percent  and  60  percent.  SD 


THE  VOLUME  OF  DOCUMENTS  ACCESSED 

ON  THE  INTERNET  IS  DOUBLING  EVERY _ 

EIGHT  MONTHS.  NO  WONDER  EMPLOYEES 

SPEND  MORE  TIME  GATHERING _ 

INFORMATION  THAN  USING  IT. _ 


STRATEGIC  DIRECTIONS  11 


CIO  ADVERTISING  SUPPLEMENT 


DATA  AND  STORAGE  SOLDTIONS  STORAGE  MANAGEMENT 


STORAGE  MANAGEMENT: 

SOLUTIONS  THAT  CONSOLIDATE  AND  AUTOMATE 


According  to  research  by 
the  Enterprise  Storage 
Group,  a  picture  is  worth 
about  18,000  words.  All 
those  bits  and  bytes  are 
adding  up  fast  too:  the 
amount  organizations  are 
spending  on  data  storage 
this  year  is  over  100  per¬ 
cent  more  than  they  spent  in  2001. 

Piling  on  more  storage  hardware — 
a  tempting  proposition  as  storage  hard¬ 
ware  costs  drop  dramatically — only 
makes  storage  infrastructures  more  com- 


CASE  STUDY 


plex  and  tougher  to  manage.  Besides, 
storage  utilization  levels  are  so  low  that 
more  than  half  of  typical  host  storage  is 
unused.  Buy  more,  waste  more. 

Still,  many  enterprises  rely  on 
direct-attached  storage  that  can’t  be 
shared  and  is  tough  to  safeguard.  For 
decentralized,  heterogeneous  IT  envi¬ 
ronments,  the  costs  and  hassles — strug¬ 
gles  to  meet  service  levels,  inconsistent 
data  integrity  and  security,  and  rigid 
infrastructure — are  becoming  over¬ 
whelming  in  the  face  of  demand  for 
more  data,  more  quickly,  more  often. 


The  good  news  is  that  there’s 
something  a  CIO  can  do  about  it:  con¬ 
solidate  storage  resources,  a  task  most 
effectively  accomplished  with  net¬ 
worked  storage. 

BEYOND  GOST  CONTAINMENT 

For  many,  bringing  rationality  to  stor¬ 
age  woes  begins  with  a  simplification 
and  recentralization  of  storage 
resources.  At  a  time  when  data  storage 
is  gobbling  up  more  of  the  budget, 
consolidating  storage  can: 

■  Lower  system  administration  overhead.  A 


F] 


obliss,  a  leading  mobile  media  company,  is  the  workhorse 
behind  the  real-time  voting  and  polling  which  is  fast 
becoming  a  ‘must  have’  for  reality  and  sports  shows. 

In  2002  the  company  expanded  the  size  and  scale  of  its 
offering  linking  it  to  TV  for  a  real-time  presence  that 
prompts  viewers  to  “vote”  via  text  messaging. 

Not  knowing  how  much  traffic  it  would  receive,  Mobliss’  vice  president  of 
infrastructure,  Hernan  Alvarez,  and  his  team  looked  for  a  storage  solution 
that  could  ramp  up  quickly. 

“We  knew  success  meant  finding  a  fast,  reliable, 
scalable  storage  solution,”  says  Alvarez.  “We  looked 
at  a  number  of  alternatives  but  nothing  compared  to 
EMC’s  CLARiiON  CX200— it’s  simply  the  best  entry- 
level  array  out  there,  period.  And  it  was  very,  very 
easy  to  get  up  and  running— we  had  a  pair  of  databases  talking  to  that  sys¬ 
tem  in  minutes  and  it’s  been  running  without  a  hiccup  since.” 

IN  PLACE  UP  GRADES 

One  of  the  major  CX200  draws,  says  Alvarez,  is  the  data-in-place  upgrades. 

“Not  knowing  how  scalable  we  will  need  to  be  makes  the  in-place  upgrades  a 
key  for  us,”  he  explains.  “The  ability  to  go  from  a  CX200  to  a  CX400  or  CX600 


EMC2 

where  information  lives 


with  data-in-  place,  with  very  little  interruption,  is  significant.  Other  vendors  can 
add  disk,  but  that  alone  does  not  get  you  the  number  of  I/Os  per  second  you 
may  need  for  a  fast  transactional  application  like  real-time  messaging.” 

CONSOLE  COMFORT  AND  MIXING  DRIVES 

Alvarez  is  also  pleased  with  CLARiiON’s  Navisphere  management  software, 
which  he  says  is  intuitive  and  requires  little  training. 

“Navisphere  is  a  great  management  tool,”  says  Alvarez.  “We  know  what 
each  individual  disk  is  doing  and  the  ability  to  manage 
everything  about  the  array  from  the  console  is 
extremely  productive.” 

Mobliss  is  also  looking  forward  to  leveraging  ATA 
drive  technology. 

“Mixing  your  high-speed  fibre  drives  with  lower 
speed,  high-capacity  ATA  drives  is  very  attractive;  the  price  per  megabyte 
is  so  low,”  notes  Alvarez.  “We  have  a  lot  of  storage  we  don’t  need  at  break¬ 
neck  speeds;  but  we  want  it  to  be  there  at  acceptable  speeds,  with  the 
same  reliability  as  our  high-speed  data.  The  ability  to  intermix  in  a  single 
product  line  is  huge;  well  definitely  be  investing.” 

For  more  information,  contact  www.emc.com 


12STRATEGIC  DIRECTIONS 


SERVERS 


EMC2 

where  information  lives 


^  TO  SPEED  BACKUP’  AN  D  RECOVE RY^CUT  ALONG’DOTT ¥6’ lTn’e 


STORAGE 


Separating  storage  and  server  purchases  is  the  first  step  to  faster,  more  secure  backup.  With  networked  storage  from 
EMC,  you  can  consolidate  all  your  information,  protect  it  better,  and  manage  it  more  efficiently.  And  with  solutions 
starting  at  $9,995,  the  EMC  CLARiiON  CX  Series  delivers  world-class  storage  at  a  surprisingly  affordable  price. 

Take  advantage  of  our  special  offers  at  www.EMC.com/growthcompanies.  Or  call  1-866-796-6369. 


EMC2 


71 

VELOCITY2 

PARTNER 


Find  an  authorized  EMC  Velocity  Partner 
at  www.EMC.com/velocity 


CX  Series  starting  at 

s9>995 


EMC,2  EMC,  and  CLARiiON  are  registered  trademarks  and  where  information  lives  is  a  trademark  of  EMC  Corporation.  ©2003  EMC  Corporation.  All  rights  reserved. 


CIO  ADVERTISING  SUPPLEMENT 


DATA  AND  STORAGE  SOLUTIONS  I  STORAGE  MANAGEMENT 


simpler  storage  infrastructure  can  mean 
fewer  data  centers,  less  maintenance, 
trimmed  staff  costs  and  reduced  licensing 
fees.  After  Blue  Cross  and  Blue  Shield  of 
Tennessee  (BCBST)  consolidated  its  data 
storage  into  a  single  networked  environ¬ 
ment  and  implemented  a  storage  area  net¬ 
work  (SAN),  storage  expenditures  dropped 
by  60  percent  and  maintenance  costs  went 
down  70  percent.  Add  in  space  reduction, 
staff  avoidance  costs  and  productivity 
improvements,  and  die  savings  amount  to 
between  $1.5  million  and  $2  million  a  year. 
■  Boost  storage  utilization.  Why  are  stor¬ 
age  resources  so  poorly  utilized?  Mosdy 
because  of  inadequate  connectivity.  Net¬ 
worked  storage,  which  separates  data 
storage  from  operational  servers  and 
makes  it  available  in  shared  pools  to  end 
users  via  networks,  can  be  dynamically 
allocated  so  that  less  storage  space 


remains  unused.  Storage  resources  of 
varying  types  can  be  added  quickly  when 
and  where  needed — BCBST  boosted  its 
storage  utilization  by  40  percent. 

■  Generate  economies  of  scalability. 
When  combined  with  the  right  man¬ 
agement  software,  networked  storage 
enables  an  organization’s  storage  infra¬ 
structure  to  scale  to  the  growth  of  data 
volumes. 

■  Make  data  management  easier,  even 
as  the  amount  and  complexity  of  data 
and  its  uses  continue  to  grow. 

■  Improve  security  and  business  conti¬ 
nuity  plans.  As  compared  to  labor- 
intensive,  direct-attached  storage,  con¬ 
solidated  storage  solutions  with 
automated  backup  and  high-availabili¬ 
ty  configurations  can  improve  data 
safety  and  reliability  while  requiring 
less  human  intervention. 


■  Help  align  IT  infrastructure  with  busi¬ 
ness  strategy.  Here’s  your  chance  to  opti¬ 
mize  a  major  chunk  of  IT  infrastructure 
so  it  can  meet  current  and  future  enter¬ 
prise  demands — including  legal  require¬ 
ments  imposed  to  maintain  data  privacy 
and  management  standards. 

■  Facilitate  resource  metering.  Once 
storage  gets  provisioned  from  a  central 
resource,  usage  can  be  monitored, 
measured — and  billed. 

THE  UTILITY  OF  IT  ALL 

Many  believe  all  this  adds  up  to  utility 
computing — a  rejiggering  of  core  data 
center  technologies  in  order  to  trans¬ 
form  the  components  of  IT  infrastruc¬ 
ture,  like  storage,  into  services  for  which 
end  users  can  be  charged. 

But  utility  computing  can’t  happen 
without  storage  management  software. 


rp:v'ti:V- 


COMPANY  PROFILE 


I 


I 


n  today’s  demanding  times,  market  conditions  are  forcing  com¬ 
panies  to  reconsider  the  ways  in  which  they  assign  value  to  their 
information.  Budgets  are  flat  or  declining  and  skilled  human 
resources  are  scarce,  while  at  the  same  time,  more  information 
is  flowing  through  businesses  (at 
annual  growth  rates  of  50  to  70  per- 


. 


■ 


cent),  and  more  laws  and  regulations  are  mandat¬ 
ing  how  long  information  must  be  accessible. 

That’s  why  StorageTek,  a  total  storage  solutions  expert,  created  its 
Information  Lifecycle  Management  approach  to  helping  customers  more 
efficiently  manage  information  from  its  creation  to  deletion. 

For  StorageTek,  Information  Lifecycle  Management  is  more  than  just 
words  on  paper.  It’s  the  way  the  company  approaches  data  storage  and 
solves  information  management  issues  with  its  customers  based  on  two 
key  issues: 

(1)  What  business  decisions  must  the  customers  need  to  make  about 
their  information? 

(2)  How  does  the  value  of  information  change  over  time? 

ONE  SIZE  DOES  NOT  FIT  ALL 

StorageTek,  one  of  a  few  companies  that  provides  a  full  array  of  solutions 
to  meet  the  data  storage  and  archiving  needs  of  businesses,  understands 
that  not  all  data  is  created  equal  and  as  data  moves  through  its  lifecycle  it 


must  be  managed  and  can  be  stored  on  different  levels  and  increasingly 
cost-efficient  technologies. 

As  a  result,  StorageTek  is  successful  in  the  market  because  it  is 
equipped  to  offer  customers  the  best  solution  that  addresses  their  criti¬ 
cal  information  management  issues,  while  its 
competitors  take  a  “one  size  fits  all”  approach  by 
recommending  the  storage  devices  they  have  to 
sell  instead  of  the  technology  that  best  address¬ 
es  customers’  requirements. 

STORE,  MANAGE,  REPLICATE,  INTEGRATE 

The  building  blocks  of  Information  Lifecycle  Management  are  store,  man¬ 
age,  replicate  and  integrate.  These  four  elements  help  organize  storage- 
related  activities  logically,  and  assure  customers  of  a  proper  cost-benefit 
balance  in  managing  storage. 

Not  surprisingly,  StorageTek’s  customers  are  embracing  Information 
Lifecycle  Management  because  it  provides  them  with  a  solid  foundation  on 
which  they  can  build  their  storage  infrastructure  as  they  grow. 

Through  Information  Lifecycle  Management,  StorageTek  helps  customers 
solve  pressing  strategic  business  issues,  all  while  lowering  the  cost  and 
improving  the  efficiency  of  their  storage  operations. 

For  more  information,  visit  www.storagetek.com 


14STRATEGIC  DIRECTIONS 


CIO  ADVERTISING  SUPPLEMENT 


DATA  AND  STORAGE  SOLDTIONS  I  STORAGE  MANAGEMENT 


Leading  IT  infrastructure  vendors  like 
IBM,  Hewlett-Packard,  Veritas,  Com¬ 
puter  Associates  and  Sun  Microsystems 
have  committed  to  a  vision  of  utility  com¬ 
puting  that  embraces  elements  of  storage 
management.  As  these  efforts  mature, 
several  kinds  of  storage  management 
capabilities  will  be  integrated  into  them: 

■  Storage  provisioning,  which  dynami¬ 
cally  deploys  and  optimizes  hardware 
resources 

■  Storage  virtualization,  which  logical¬ 
ly  abstracts  storage  from  physical 
resources 

■  Storage  policy-based  management, 
which  helps  set  performance  and  avail¬ 
ability  service  levels 

■  Storage  resource  management  (SRM), 
which  features  billing,  chargeback  and 
capacity  management. 

STORAGE  VIRTUALIZATION 

As  IT  grapples  with  burgeoning  volumes 
of  data  and  the  creeping  complexity  of 
storage  environments,  storage  virtualiza¬ 
tion  solutions  can  offer  some  relief. 

Virtualization  creates  an  abstrac¬ 
tion  layer  that  separates  the  actual 
physical  storage  from  the  representa¬ 
tion  of  storage  to  the  server  operating 
system,  portraying  data  stored  in  any 
number  of  media,  devices  and  loca¬ 
tions  as  being  located  in  one  central¬ 
ized  repository.  This  virtualized  pool 
of  enterprise  data  thus  hides  storage 
infrastructure  complexities.  Every¬ 
one — IT  staffers  as  well  as  end  users 
and  their  business  applications — gets 
a  single,  logical  view  of  all  the  data  in 
the  storage  pool,  allowing  them  to 
directly  access  the  information  they 
need  wherever  it  is. 

Pooling  70  terabytes  of  arrayed 
storage,  DataCore  Software’s  virtual¬ 
ization  appliance  has  boosted  Con¬ 
seco  Finance  Corp.’s  storage  utiliza¬ 
tion  rates  to  85  percent  from  55 
percent,  and  the  time  required  to 
provision  storage  for  new  applications 
has  plummeted  from  four  days  to  just 


an  hour.  The  company  has  saved 
three  times  what  the  DataCore  prod¬ 
uct  cost,  in  part  by  being  able  to 
postpone  the  purchase  of  three  addi¬ 
tional  terabytes  of  storage. 

In  addition  to  virtualization  vendors 
like  Legato  (recently  acquired  by  EMC 
Corp.)  and  DataCore,  several  major 
players  are  stepping  into  the  ring,  among 
them  IBM,  Cisco  Systems,  Hewlett- 
Packard  and  Sun  Microsystems. 

STORAGE  RESOURCES  MANAGEMENT 

Before  data  can  be  migrated  to  a  storage 
area  network  (SAN)  or  a  networked  area 
storage  (NAS)  environment,  it  needs  to 
be  categorized  according  to  such  vari¬ 
ables  as  file  type,  access  date,  owner  and 
business  value.  Without  this  kind  of  gran¬ 
ularity,  conceiving  effective  storage  poli¬ 
cies — essential  to  successful  storage  con¬ 
solidation  projects — is  tough  to  do. 

This  type  of  categorization  is  per¬ 
formed  by  storage  resource  manage¬ 
ment  (SRM)  tools,  which  collect  infor¬ 
mation  about  storage  assets,  place  it  in 
a  central  repository  and,  using  analyti¬ 
cal  tools,  optimize  storage  assets  and 
anticipate  storage  requirements. 

Even  though  SRM  tools  tend  not 
to  initiate  actions,  they  generate  signifi¬ 
cant  ROI,  since  the  alternative  requires 
manually  analyzing  and  categorizing 
enormous  volumes  of  data.  Many  com¬ 
panies,  including  Veritas,  IBM  and 
Computer  Associates,  offer  SRM  prod¬ 
ucts.  Integrated  with  storage  policy  and 
virtualization  capabilities  that  allow  them 
to  automate  service-level  management, 
data  path  optimization,  provisioning  and 
so  on,  SRM  tools  will  become  key  to 
infrastructure  management. 

To  get  the  most  from  SRM,  look 
for  products  that  deliver  active,  policy- 
based  management  that  permit  file- 
level  automation  across  heterogeneous 
platforms  and  initiate  corrective  actions 
to  help  maintain  storage  asset  availabil¬ 
ity.  They  should  also  manage  data 
within  mission-critical  applications 


(such  as  Microsoft  Exchange,  SQL 
Server,  Oracle)  so  you  can  get  a  con¬ 
solidated  view  of  storage  assets. 

“No  organization  should  be  with¬ 
out  an  SRM  solution,”  says  Nancy  Mar- 
rone,  senior  analyst  at  Enterprise  Stor¬ 
age  Group.  “These  tools  provide 
information  on  how  resources  are  being 
utilized,  who  the  users  are,  and  what 
types  of  files  and  data  are  being  stored. 
SRM  solutions  can  help  organizations 
reclaim  wasted  space,  more  effectively 
utilize  their  resources  and  predict  when 
they’ll  need  additional  capacity.  The 
solutions  aren’t  too  expensive  and  help 
reduce  total  cost  of  ownership.” 

SAN  MANAGEMENT  TOOLS 

Highly  specialized  SAN  management 
tools  supply  the  physical  layer  of 
storage  management  by  identifying,  con¬ 
figuring,  allocating  and  deploying  storage 
assets  in  heterogeneous  environments. 

EMC’s  Control  Center,  for  instance, 
features  array  management,  while  McDa- 
ta’s  SANavigator  is  a  fabric  manager. 
Other  products,  such  as  Veritas’  SAN- 
Point  Control,  EMC’s  VisualSAN  and 
InterSAN’s  Pathline,  are  designed  to 
work  in  heterogeneous  environments. 

Storage  management  vendors  are 
working  to  combine  the  capabilities  of 
both  SRM  and  SAN  tools  to  optimize 
storage  use  in  real  time,  according  to 
established  policies  and  processes. 
Active  storage  management  tools  are 
being  developed  by  Veritas,  EMC, 
IBM,  Hewlett-Packard  and  Sun 
Microsystems,  among  others. 

INFORMATION  LIFECYCLE 
MANAGEMENT 

Not  all  data  is  created  equal.  Organiza¬ 
tions  “embrace  information  lifecycle 
management  because  they  understand 
that  the  value  of  data  changes  over 
time,”  says  Pat  Martin,  chairman,  pres¬ 
ident  and  CEO  of  StorageTek. 

The  value  of  data,  adds  Steve 
Duplessie,  a  senior  analyst  at  the 


STRATEGIC  DIRECTIONS  15 


CIO  ADVERTISING  SUPPLEMENT 


DATA  AND  STORAGE  SOLUTIONS  I  STORAGE  MANAGEMENT 


Enterprise  Storage  Group,  “is  the  one 
overlooked  variable  that  really  screws 
everything  else  up.  We  tend  to  treat 
data  the  same  from  inception  to  death, 
but  clearly  the  value  of  the  data 
changes  over  time,  and  as  such  should 
be  treated  differently.” 

Information  lifecycle  management 
(ILM)  software  addresses  this  problem 
with  the  concept  of  a  lifecycle:  data  is 
treated  uniquely  according  to  its  com¬ 
parative  value,  and,  as  that  value 
changes,  the  level  of  accessibility  and 
protection  it  gets  is  altered  dynamical¬ 
ly.  The  result:  better  quality  of  service 
at  reduced  cost. 

Sounds  good,  but  it’s  tough  to 
implement  in  the  heterogeneous,  net¬ 
worked  IT  environments  that  serve 
many  organizations.  Many  tasks — 
including  the  ability  to  understand  data 
within  the  context  of  its  file  system  or 
application  as  well  as  data  replication, 
volume  management/virtualization, 
migration  and  archiving — must  be  coor¬ 
dinated  across  a  variety  of  network,  sys¬ 
tem  and  storage  platforms. 

Well-designed  data  and  storage  man¬ 
agement  policies  can  help,  says  analyst 
Steve  Kenniston  of  the  Enterprise  Stor¬ 
age  Group,  calling  them  “the  beginning 
of  true  information  lifecycle  management 
and  the  ability  to  monitor  data  growth 
better  for  planning  purposes.  By  manag¬ 
ing  what  data  lives  where  and  at  what 
time,  you  can  control  how  data  is  pro¬ 
tected  and  increase  protection  levels.” 

THE  CHALLENGES 

What  does  it  take  to  make  storage  con¬ 
solidation  happen? 

Security.  “There  are  certain  vulner¬ 
abilities  that  are  introduced  when  con¬ 
solidating  and  networking  data,”  says 
Enterprise  Storage  Group’s  Marrone. 
“The  benefits  of  consolidation  may  out¬ 
weigh  the  risks,  but  organizations  must 
perform  additional  security  assessments 
to  make  sure  data  is  secure.  Data 
deemed  critical  to  the  business  should 


be  protected  by  more  than  just  an  exter¬ 
nal  firewall.”  She  suggests  encryption 
for  “data  at  rest”  so  that  critical  infor¬ 
mation  is  not  compromised. 

Getting  everybody  together. 
“The  first  thing  a  CIO  needs  to  do,” 
says  Hugh  Hale,  director  of  technical 
services  at  Blue  Cross  and  Blue  Shield 
of  Tennessee  (BCBST),  “is  to  make  cer¬ 
tain  all  of  IT’s  various  support  groups 
come  together  and  develop  one,  broad 
strategy.  Convincing  all  the  technical 
support  groups  to  play  together  is  the 
biggest  challenge.” 

Hale  advises  focusing  on  each  group 
and  getting  them  to  consider  potential 
solutions  from  an  enterprise  perspective: 
What’s  the  most  efficient?  What  works 


Ml  significant,  sustained  inter- 
ruption  of  enterprise  opera- 
SS  tions  or  information  flow  can 
M  SR  drive  a  company  right  out  of 
fra  business.  Adding  to  the  pres- 
sure  are  recently  passed  laws 
and  initiatives — including  the 
fll  HH  Graham-Leach-Bliley  Finan¬ 
cial  Services  Modernization  Act,  the 
Healthcare  Information  Portability  and 
Accountability  Act  (HIPAA)  and  the 
European  Data  Privacy  Directive— that 
hold  organizations  responsible  when 
personal  data  goes  astray  or  corporate 
information  isn’t  preserved. 

Yet  according  to  the  research  firm 
Gartner,  fewer  than  30  percent  of  For¬ 
tune  2000  companies  actually  have  a 
full  business  continuity  plan  in  place. 
Fortunately,  there  are  more  ways  than 
ever  to  safeguard  data  and  the  systems 
that  move  and  store  it. 


best  for  everyone?  For  the  community? 

He  also  suggests  putting  the  problem 
and  proposed  solution  to  management: 
Convince  company  executives  that  creat¬ 
ing  a  homogeneous  environment  is  so 
much  better  in  the  long  run,  Hale  says. 

“I  had  to  explain  to  them  that, 
yes,  while  it’s  true  I  could  buy  a  server 
that  is  better  than  the  ones  we  have 
installed,  if  you  take  a  look  at  the  total 
environment,  the  homogeneous  envi¬ 
ronment  is  easier  to  manage,  takes  the 
least  amount  of  staff,  and  we  get 
tremendous  vendor  support,”  he 
recalls.  “We  found  discussions  center¬ 
ing  on  reliability  and  availability  of  the 
applications  very  effective  in  getting 
executive  buy-in.”  SD 


DEVELOPING  A  BUSINESS 
CONTINUITY  PLAN 

The  challenge  is  to  understand  your 
business  sufficiently  that  you  can  deter¬ 
mine  which  processes  it  needs  to  stay 
alive,  and  then  ascertain  all  the  essen¬ 
tials — physical  facilities,  employees, 
skills,  training,  etc. — necessary  to  those 
processes.  Some  best  practices: 

Assessing  risk:  Do  you  under¬ 
stand  your  business?  To  figure  out 
where  your  organization  is  vulnerable, 
you’ll  need  to  assign  a  project  team  that 
consists  oflT,  security  and  business  unit 
staff.  The  team’s  job  is  to  identify  and 
prioritize  mission-critical  business 
processes  and  evaluate  downtime  costs. 
Their  deliverables:  conclusions  about  die 
costs  of  downtime  for  your  business, 
what  it’ll  take  to  recover  the  availability 
of  key  processes  and  what  kinds  of  serv¬ 
ice  availability  key  applications  require. 


BUSINESS  CONTINUITY 

AND  DISASTER  RECOVERY: 

PREVENTING  BUSINESS  INTERRUPTION 


16STRATEGIC  DIRECTIONS 


ADVERTISING  SUPPLEMENT 


SECORITY  SOLDTIONS  CENTER 


I  Realize  The 
DASD  Cost 
Per  Megabyte 
Is  Going 
Down... 


And  the  cost  of  DASD  is  more  than  just 
the  acquisition  cost,  there  is  the  cost  of  backing 
up  the  storage,  the  telecommunication  cost  of 
replication  and  the  management  cost.  Wouldn't 
it  be  better  to  manage  the  DASD  you  already 
have  before  you  buy  more? 


For  more  information  on  how  to  increase 


your  utilization  and  manage  your  mainframe 
DASD  more  effectively,  contact  DTS  Software  at 
770-922-2444  or  email:  info@DTSsoftware.com 


SOFTWARE,  INC 


Rorke  Data,  a  subsidiary 
of  Bell  Microproducts 
Email:  lprke@rorke.com 
Phone:  800-328-8147x7880 

www.rorke.com/enterprise/ 

Data  Storage  &  Email  Solutions  that  meet  regulatory  compliance 
for  SEC  17a-4,  Sarbanes-Oxely  &  HIPAA. 

Open  and  Scalable  solutions  that  integrate  high  speed,  on-line  disk 
storage  with  regulatory-compliant  WORM  media.  Option  to  inte¬ 
grate  email  management  for  small  to  large  Microsoft  Exchange 
environments  is  available  as  well.  Rorke  Data  solutions  scale  from 
2TB  to  100TB  plus!! 


3 


3  PAR 

Serving  Information 


3PAR 

E-Mail:  salesinfo@3pardata.com 
Phone:  888-372-7226 


www.3pardata.com 

3 PAR  Utility  Storage  is  an  intelligent  and  highly  functional  disk  array 
subsystem.  With  breakthrough  hardware  and  software  innovtions, 
3PAR  overcomes  the  complexities,  cost,  and  functional  limitations 
of  current  storage  solutions.  3PAR  has  delivered  Utility  Storage 
solutions  to  the  government  sector,  both  to  the  U.S.  and  abroad, 
and  to  the  commercial  sector,  which  includes  financial  services, 
technology,  bio-pharmaceutical,  and  telecom  companies. 


■  INNOVATION* 

DATA  PROCESSING 


www.innovationdp.fdr.com 


Innovation  Data 
Processing 
275  Paterson  Avenue 
Little  Palls,  NJ  07424 
Phone:973-890-7300 
fax:973-890-7147 


Innovation  Data  Processing  is  an  enterprise  business  data  protec¬ 
tion  leader  with  the  FDR  Family  of  Storage  Management  products 
including  FDR/UPSTREAM  for  Open  Systems,  and  zLinux,  1AM  for 
VSAM  application  acceleration.  FDRINSTANT  extends  data  replica¬ 
tion  technology  of  storage  vendors  such  as  FlashCopy  with  non-dis- 
ruptive  protection.  FDRPAS  provides  economical  non-disruptive  disk 
and  volume  relocation  making  new  hardware  installation  a  snap. 


For  more  information  and  up  to 
date  storage  research 
and  resources  please  go  to: 

www.  cio.  com/research/da  ta 


STRATEGIC  DIRECTIONS  17 


CIO  ADVERTISING  SUPPLEMENT 


DATA  AND  STORAGE  SOLDTIONS  I  STORAGE  MANAGEMENT 


Enterprise  Storage  Group,  “is  the  one 
overlooked  variable  that  really  screws 
everything  else  up.  We  tend  to  treat 
data  the  same  from  inception  to  death, 
but  clearly  the  value  of  the  data 
changes  over  time,  and  as  such  should 
be  treated  differently.” 

Information  lifecycle  management 
(ILM)  software  addresses  this  problem 
with  the  concept  of  a  lifecycle:  data  is 
treated  uniquely  according  to  its  com¬ 
parative  value,  and,  as  that  value 
changes,  the  level  of  accessibility  and 
protection  it  gets  is  altered  dynamical¬ 
ly.  The  result:  better  quality  of  service 
at  reduced  cost. 

Sounds  good,  but  it’s  tough  to 
implement  in  the  heterogeneous,  net¬ 
worked  IT  environments  that  serve 
many  organizations.  Many  tasks — 
including  the  ability  to  understand  data 
within  the  context  of  its  file  system  or 
application  as  well  as  data  replication, 
volume  management/virtualization, 
migration  and  archiving — must  be  coor¬ 
dinated  across  a  variety  of  network,  sys¬ 
tem  and  storage  platforms. 

Well-designed  data  and  storage  man¬ 
agement  policies  can  help,  says  analyst 
Steve  Kenniston  of  die  Enterprise  Stor¬ 
age  Group,  calling  them  “the  beginning 
of  true  information  lifecycle  management 
and  the  ability  to  monitor  data  growth 
better  for  planning  purposes.  By  manag¬ 
ing  what  data  lives  where  and  at  what 
time,  you  can  control  how  data  is  pro¬ 
tected  and  increase  protection  levels.” 

THE  CHALLENGES 

What  does  it  take  to  make  storage  con¬ 
solidation  happen? 

Security.  “There  are  certain  vulner¬ 
abilities  that  are  introduced  when  con¬ 
solidating  and  networking  data,”  says 
Enterprise  Storage  Group’s  Marrone. 
“The  benefits  of  consolidation  may  out¬ 
weigh  the  risks,  but  organizations  must 
perform  additional  security  assessments 
to  make  sure  data  is  secure.  Data 
deemed  critical  to  the  business  should 


be  protected  by  more  than  just  an  exter¬ 
nal  firewall.”  She  suggests  encryption 
for  “data  at  rest”  so  that  critical  infor¬ 
mation  is  not  compromised. 

Getting  everybody  together. 
“The  first  thing  a  CIO  needs  to  do,” 
says  Hugh  Hale,  director  of  technical 
services  at  Blue  Cross  and  Blue  Shield 
of  Tennessee  (BCBST),  “is  to  make  cer¬ 
tain  all  of  IT’s  various  support  groups 
come  together  and  develop  one,  broad 
strategy.  Convincing  all  the  technical 
support  groups  to  play  together  is  the 
biggest  challenge.” 

Hale  advises  focusing  on  each  group 
and  getting  them  to  consider  potential 
solutions  from  an  enterprise  perspective: 
What’s  the  most  efficient?  What  works 


■■  significant,  sustained  inter- 
ruption  of  enterprise  opera- 
SB  tions  or  information  flow  can 
H  hR  drive  a  company  right  out  of 
B  III  business.  Adding  to  the  pres- 
■  H  sure  are  recently  passed  laws 
and  initiatives — including  the 
■  IB  Graham-Leach-Bliley  Finan¬ 
cial  Services  Modernization  Act,  the 
Healthcare  Information  Portability  and 
Accountability  Act  (HIPAA)  and  the 
European  Data  Privacy  Directive — that 
hold  organizations  responsible  when 
personal  data  goes  astray  or  corporate 
information  isn’t  preserved. 

Yet  according  to  the  research  firm 
Gartner,  fewer  than  30  percent  of  For¬ 
tune  2000  companies  actually  have  a 
full  business  continuity  plan  in  place. 
Fortunately,  there  are  more  ways  than 
ever  to  safeguard  data  and  the  systems 
that  move  and  store  it. 


best  for  everyone?  For  the  community? 

He  also  suggests  putting  the  problem 
and  proposed  solution  to  management: 
Comince  company  executives  that  creat¬ 
ing  a  homogeneous  environment  is  so 
much  better  in  the  long  run,  Hale  says. 

“I  had  to  explain  to  them  that, 
yes,  while  it’s  true  I  could  buy  a  server 
that  is  better  than  the  ones  we  have 
installed,  if  you  take  a  look  at  the  total 
environment,  the  homogeneous  envi¬ 
ronment  is  easier  to  manage,  takes  the 
least  amount  of  staff,  and  we  get 
tremendous  vendor  support,”  he 
recalls.  “We  found  discussions  center¬ 
ing  on  reliability  and  availability  of  the 
applications  very  effective  in  getting 
executive  buy-in.”  SD 


DEVELOPING  A  BUSINESS 
CONTINUITY  PLAN 

The  challenge  is  to  understand  your 
business  sufficiently  that  you  can  deter¬ 
mine  which  processes  it  needs  to  stay 
alive,  and  then  ascertain  all  the  essen¬ 
tials — physical  facilities,  employees, 
skills,  training,  etc. — necessary  to  those 
processes.  Some  best  practices: 

Assessing  risk:  Do  you  under¬ 
stand  your  business?  To  figure  out 
where  your  organization  is  vulnerable, 
you’ll  need  to  assign  a  project  team  that 
consists  of  IT,  security  and  business  unit 
staff.  The  team’s  job  is  to  identify  and 
prioritize  mission-critical  business 
processes  and  evaluate  downtime  costs. 
Their  deliverables:  conclusions  about  die 
costs  of  downtime  for  your  business, 
what  it’ll  take  to  recover  the  availability 
of  key  processes  and  what  kinds  of  serv¬ 
ice  availability  key  applications  require. 


BUSINESS  CONTINUITY 

AND  DISASTER  RECOVERY: 

PREVENTING  BUSINESS  INTERRUPTION 


16STRATEGIC  DIRECTIONS 


ADVERTISING  SUPPLEMENT 


SECURITT  SOLUTIONS  CENTER 


I  Realize  The 
DASD  Cost 
Per  Megabyte 
Is  Going 
Down...  ^ 


And  the  cost  of  DASD  is  more  than  just 
the  acquisition  cost,  there  is  the  cost  of  backing 
up  the  storage,  the  telecommunication  cost  of 
replication  and  the  management  cost.  Wouldn't 
it  be  better  to  manage  the  DASD  you  already 
have  before  you  buy  more? 


For  more  information  on  how  to  increase 


your  utilization  and  manage  your  mainframe 
DASD  more  effectively,  contact  DTS  Software  at 
770-922-2444  or  email:  info@DTSsoftware.com 


SOFTWARE,  INC 


Rorke  Data,  a  subsidiary 
of  Bell  Microproducts 
Email:  lijropke@rorke.Gom 
Phone:  800-328-8147x7880 

www.rorke.com/enterprise/ 

Data  Storage  &  Email  Solutions  that  meet  regulatory  compliance 
for  SEC  17a-4,  Sarbanes-Oxely  &  HIPAA. 

Open  and  Scalable  solutions  that  integrate  high  speed,  on-line  disk 
storage  with  regulatory-compliant  WORM  media.  Option  to  inte¬ 
grate  email  management  for  small  to  large  Microsoft  Exchange 
environments  is  available  as  well.  Rorke  Data  solutions  scale  from 
2TB  to  100TB  plus!! 


o 


3  PAR 

Serving  Information 


3PAR 

E-Mail:  salesinfo@3pardata.com 
Phone:  888-372-7226 


www.3pardata.com 

3PAR  Utility  Storage  is  an  intelligent  and  highly  functional  disk  array 
subsystem.  With  breakthrough  hardware  and  software  innovtions, 
3PAR  overcomes  the  complexities,  cost,  and  functional  limitations 
of  current  storage  solutions.  3PAR  has  delivered  Utility  Storage 
solutions  to  the  government  sector,  both  to  the  U.S.  and  abroad, 
and  to  the  commercial  sector,  which  includes  financial  services, 
technology,  bio-pharmaceutical,  and  telecom  companies. 


DATA  PROCESSING 


Innovation  Data 
Processing 
275  Paterson  Avenue 


Little  Falls,  NJ  07424 
Phone:973-890-7300 


www.innovationdp.fdr.com  ^ax:  973-890-7147 

Innovation  Data  Processing  is  an  enterprise  business  data  protec¬ 
tion  leader  with  the  FDR  Family  of  Storage  Management  products 
including  FDR/UPSTREAM  for  Open  Systems,  and  zLinux,  1AM  for 
VSAM  application  acceleration.  FDRINSTANT  extends  data  replica¬ 
tion  technology  of  storage  vendors  such  as  FlashCopy  with  non-dis- 
ruptive  protection.  FDRPAS  provides  economical  non-disruptive  disk 
and  volume  relocation  making  new  hardware  installation  a  snap. 


For  more  information  and  up  to 
date  storage  research 
and  resources  please  go  to: 

www.  do.  com/resea  rch/da  ta 


STRATEGIC  DIRECTIONS  17 


CIO  ADVERTISING  SUPPLEMENT 


DATA  AND  STORAGE  SOLDTIONS I  DISASTER  RECOVERY 


Designing  business  continuity 
and  recovery  plans.  Repeatable  recov¬ 
ery  strategies  and  processes  are  delineat¬ 
ed,  including  the  formalizing  of  business 
continuity  policies,  management,  and 
auditing  and  creation  of  crisis  manage¬ 
ment  teams  and  procedures.  Service  lev¬ 
els  should  be  defined  using  classification 
systems  that  lay  out  requirements  for 
infrastructure,  operations  architecture 
and  development  endeavors. 

Building  a  business  continuity 
response.  As  business  continuity  designs 
are  assembled,  detailed  plans  and  rou¬ 
tines  are  formulated  for  those  handling 
daily  operations.  Then,  as  much  as  pos¬ 
sible  (since  some  plans  may  not  be 
testable),  they’re  tested.  And  tested. 
And  tested  again.  This  begins  an  itera¬ 
tive  process — ongoing  testing  results  in 
adjustments  to  the  plan,  improving 
chances  of  surviving  a  disaster. 

Monitoring  and  maintenance. 
Because  business  requirements  are  always 


changing,  business  continuity  plans  must 
be  frequently  updated.  Part  of  your  busi¬ 
ness  continuity  plan  design  and  construc¬ 
tion  should  address  procedures  for 
reviewing  the  plan  and  making  changes 
as  necessary.  Testing  should  be  continu¬ 
al — and  don’t  forget  staff  rehearsals. 

Continuity  in  the  culture.  If  busi¬ 
ness  continuity  processes  are  integrated 
into  every  project  life-cycle  and  change 
management  process,  then  continuity 
and  recovery  requirements  can  be 
understood  and  incorporated  as  new 
projects  and  processes  are  initiated. 
You’ll  also  need  a  continuing  campaign 
to  improve  business  continuity  policy 
awareness  and  management  practices 
across  the  organization. 

TECHNOLOGIES  THAT  MAKE  BUSINESS 
CONTINUITY  PUNNING  EASIER 

To  provide  true  continuity  for  critical 
business  processes,  not  just  critical  data, 
companies  must: 


■  Maintain  a  variety  of  redundancies 
dedicated  to  business  continuity, 
including  redundant  network  capaci¬ 
ty,  electrical  supplies  from  different 
power  grids  and  offsite  location  of 
failover  gear 

■  Assure  immediate  availability  of  ade¬ 
quate  latent  capacity  to  sustain  rapid 
failover  and  recovery 

■  Find  ways  to  test  capacity  availability 
without  disrupting  current  operations. 

Among  the  technologies  that  make 
these  efforts  easier: 

High-availability  solutions  that 
enable  organizations  to  recover  in  min¬ 
utes  rather  than  days.  3PARdata’s  stor¬ 
age  servers,  for  instance,  combine  hard¬ 
ware  and  software  fault  tolerance  so 
software  can  be  upgraded  online,  and 
are  scalable  from  entry-level  installa¬ 
tions  to  large,  centralized  systems. 

Distributed  applications  architec¬ 
tures  in  which  applications  architectures 
inhabit  several  active  physical  sites  so 


COMPANY  PROFILE 


uiiinaiiiii 


T  departments  today  are  under  pressure  to  provide  ever- 
higher  levels  of  service  while  reducing  operational  and 
infrastructure  costs.  To  meet  these  challenges,  more  and 
more  IT  departments  are  shifting  to  a  utility  model  that 
delivers  computing  power  and  stor¬ 
age  capacity  from  shared,  central¬ 


ized  resources. 


VERITAS 


NEW  TOOLS  AND  CAPABILITIES 

Managing  the  utility  model  requires  new  tools  and 

capabilities.  With  the  VERITAS  one-source  SRM  solution,  IT  professionals 

can  facilitate  the  transition  to  utility  computing  from  a  storage  perspective. 

The  VERITAS  SRM  solution  provides  storage  management  from  three 
integrated  products:  VERITAS  SANPoint  Control  covers  physical  storage 
management;  VERITAS  Storage  Reporter  takes  care  of  logical  storage 
management;  and  VERITAS  Service  Manager  for  Storage  performs  busi¬ 
ness  management  functions. 

•VERITAS  SANPoint  Control  provides  centralized,  proactive  management 
of  the  storage  infrastructure.  Seamlessly  integrating  policy  and  perform¬ 
ance  management,  storage  provisioning,  and  zoning  capabilities,  VERITAS 


SANPoint  Control  simplifies  the  complex  tasks  of  managing  and  monitoring 
a  multi-vendor  networked  storage  environment. 

•VERITAS  Storage  Reporter  enables  IT  organizations  to  know  exactly  what 
users,  applications  or  file  types  are  consuming  valuable  storage  space.  With 
Storage  Reporter,  IT  managers  get  a  complete 
view  into  the  usage  of  storage  across  the  enter¬ 
prise,  allowing  them  to  raise  storage  utilization 
rates  to  the  point  where  they  quickly  recover  their 
software  investment. 

•VERITAS  Service  Manager  for  Storage  helps 
organizations  align  IT  strategies  with  business  priorities.  VERITAS  Service 
Manager  allows  IT  to  centrally  manage  delivery  of  IT  storage  services  and 
quantify  the  results  of  expenditures  by  providing  complete  business-level 
reporting  of  storage  utilization,  costs,  and  service-level  delivery. 

The  VERITAS  SRM  Suite  is  the  one-source  solution  for  IT  departments 
seeking  the  most  reliable  and  economical  way  to  meet  storage  and  avail¬ 
ability  requirements. 

For  more  information  about  utility  computing  from  a  storage  per¬ 
spective,  visit  www.veritas.com 


18STRATEGIC  DIRECTIONS 


CIO  ADVERTISING  SUPPLEMENT 


DATA  AND  STORAGE  SDLDTIDNS  THE  ROI  OF  STORAGE 


WHERE  THE  PAYBACKS  ARE: 

THE  ROI  OF  STORAGE  S0L0TI0HS 

Here  are  Some  of  the  Results  Companies  Have  Used  to  Support  Their  Business  Cases: 

When  COPIC  Insurance  was  moving  from  a  mainframe  to  an  Oracle  platform,  it  needed  to 
migrate  lots  of  legacy  data  but  lacked  the  SQL  experience  needed  to  do  so.  Using  Informat- 
ica’s  data  integration  platform,  the  migration  was  finished  in  nine  months  (vs.  the  usual  two 
years)  with  just  two  developers,  and  one  migration  project  saw  cost  savings  of  50  percent. 
What’s  more,  COPIC’s  data  warehouse  maintenance  and  support  costs  are  significantly 
lower  and  it’s  easier  to  train  developers. 

Brokerage  house  Legg  Mason  used  Legato’s  DiskXtender  and  ApplicationXtender  to  create 
a  cost-effective  data  management  solution  capable  of  handling  massive  amounts  of  data. 
Working  in  conjunction  with  Legg  Mason’s  corporate  intranet,  the  solution  has  virtually  elim¬ 
inated  the  company’s  need  for  paper  report  delivery  and  storage  and  reduced  the  time  nec¬ 
essary  to  retrieve  client  documentation  from  hours  (sometimes  days)  to  seconds. 

Implementing  StorageTek’s  Virtual  Storage  Manager  helped  soy  sauce  maker  Kikkoman 
reduce  the  1,500  magnetic  tapes  required  to  record  its  mission-critical  data  to  just  500 
tapes — a  savings  of  about  67  percent. 

One  of  the  largest  suppliers  of  products  and  services  to  the  global  semiconductor  indus¬ 
try,  Applied  Materials,  realized  a  $2  million  savings  in  storage  costs  in  the  first  year  after 
implementing  OuterBay’s  LiveArchive  software— and  has  saved  $1  million  in  storage  costs 
every  year  since.  Applied  Materials  was  also  able  to  reduce  database  growth  rate  from  156 
gigabytes  to  16  gigabytes  a  year— an  annual  growth  rate  reduction  of  90  percent. 

Application  services  provider  USinternetworking,  Inc.  (USi),  reports  getting  four  to  five  times 
better  backup  speed  with  Veritas  NetBackup  DataCenter  compared  to  its  previous  solution.  USi 
is  also  able  to  restore  any  server  or  packaged  application  completely  from  the  ground  up.  SD 


that  if  one  center  goes  down  the  others 
can  still  process  application  requests. 

Load  balancing  across  multiple 
physical  sites  (generally  for  non-transac¬ 
tional  apps)  and  hot  standby,  a  redundant 
application  environment  that’s  available 
when  an  outage  hits  the  primary  physical 
site,  for  transaction  applications  alleviate 
the  complexity  of  multiple-site  design 
and  ease  conflict  resolution.  This  reduces 
complexity  and  improves  the  chances  for 
conflict  resolution.  For  hot-standby  and 
load- balanced  sites,  data  is  often  replicat¬ 
ed  between  sites  via  mirroring  or  shad¬ 
owing  (at  die  transaction  or  data  level). 

Data  replication — notably  mir¬ 
roring  and  shadowing — are  used  often 
with  load-balanced  and  hot-standby 
sites,  replicating  databases  and  file  sys¬ 
tems.  Point-in-time  replicas  synchro¬ 
nize  backup  and  recovery  across  mul¬ 
tiple  systems. 

Clustering,  which  replicates  data 
between  sites,  monitors  site  availability 
and  responds  to  outages  by  conduct¬ 
ing  automated  recovery  at  the  alterna¬ 
tive  site. 

Snapshots  capture,  well,  snap¬ 
shots  of  data.  EMC  Corp.’s  Snap, 
which  works  with  the  firm’s  Symmetrix 
DMX  networked  storage  products, 
generates  pointer-based  snapshots  of 
production  data  volumes. 

Storage  management  software 
delivers  the  ability  to  move  files  quick¬ 
ly  and  recover  even  the  largest  data  files 
in  minutes.  StorageTek’s  Application 
Storage  Manager,  for  example,  exploits 
storage  virtualization  and  automates 
data  management  and  retrieval  across 
the  storage  hierarchy  via  user-defined 
data  policies. 

DTS  Software’s  Storage  Control 
Center  is  comprised  of  an  integrated 
suite  of  storage  management  programs 
that  handle  backup,  debugging,  uti¬ 
lization  monitoring,  disk  space  recov¬ 
ery,  and  DASD  and  tape  management. 

Rorke  Data’s  global  namespace 
management  applications  allow  clients  to 


access  files  without  knowing  their  loca¬ 
tion.  Administrators  can  aggregate  file 
storage  across  heterogeneous,  geograph¬ 
ically  distributed  storage  devices,  and 
view  and  manage  it  as  a  single  file  system. 

Vendors  are  also  working  together 
to  create  comprehensive  business  conti¬ 
nuity  solutions.  For  instance,  EMC  has 
joined  with  Legato  and  Nortel  Networks 
to  offer  a  solution  that  allows  disparate 
data  centers  to  behave  as  one.  In  event  of 
an  outage,  transactions  are  automatically 
rerouted  to  an  alternate  site  without 
requiring  restore  or  restart  procedures. 

BlueStar  Solutions,  a  provider  of 
hosted  enterprise-class  applications,  is 
using  Veritas’  Volume  Replicator  to 
shrink  data  loss  to  no  more  than  1 5 
minutes  (with  a  guarantee  that  the  data 
is  consistent  and  applications  can  be 


brought  back  up).  BlueStar  has  also 
reduced  downtime  to  only  10  minutes 
from  start  to  systems  recovery  in  its 
alternate  data  center  using  Veritas’ 
Global  Cluster  Manager. 

Innovation  Data  Processing’s 
enterprise  storage  management  soft¬ 
ware  has  helped  M&T  Bank’s  enter¬ 
prise  storage  department  take  on  back¬ 
up  tasks  without  needing  dedicated 
tape  drives  to  do  it. 

Unified  enterprise  data  manage¬ 
ment  solutions  ensure  high-perform¬ 
ance  data  protection,  universal  avail¬ 
ability  and  simplified  management  of 
complex  storage  networks.  The  Com- 
mVault  software  platform,  for  instance, 
integrates  backup  and  recovery,  data 
migration,  data  high  availability  and 
storage  management  software.  SD 


STRATEGIC  DIRECTIONS  19 


/.  "-A 

iMfel 


The 


u 


STOP  THE 


.4*  »'#*• 


Only  VERITAS  detects,  diagnoses,  and  corrects  performance  problems  from  application 
to  storage  array.  Stop  the  finger  pointing  by  pointing  your  browser  to  veritas.com 


VERITAS 


2003  VERITAS  Software  Corporation.  All  r'&lUfcJ&>er'*‘<E  VERITAS,  and  the  VERITAS  Logo  Reg.  L'.S.  Tin.  Off.^A 


‘The  discussion  and 
information  exchange 
with  peers  is  invalu¬ 
able.” 


Robert  Odenheimer, 
SVP,  IT  Operations, 
Magellan  Behavioral  Health 


“The  content  presented 
by  Peter  Weill  was  an 
excellent  framework  to 
discuss  current  chal¬ 
lenges  with  a  very 
interesting 
peer  group.” 

Chris  Acton,  Global  IS, 
RioTinto  Borax 


“Lessons  learned  are 
not  the  usual  aca¬ 
demic  fare,  but  the 
subtleties  of  the  cul¬ 
tural  and  technological 
minefields.” 

Evelyn  Lockett  Woods. 
EVP/CIO.  Joint  Commission  on 
Accreditation  of  Healthcare 
Organizations 


or  visit  us  at  Y' 
www.cio.com/ 
conferences  . 


Retreat  Moderator 

Peter  Weill 

Director,  Center  for 
Information  Systems 
Research,  MIT  Sloan 
School  of  Management 


The  Case 
Studies 

Peter  Weill  once  again  presents 
new  findings  and  case  studies 
from  work  with  hundreds  of 
Global  1000  companies,  focus¬ 
ing  on  three  key  areas:  IT  infra¬ 
structure  for  strategic  agility, 
effective  business  models,  and 
IT  governance. 

>  IT  Infrastructure  for 
Strategic  Agility 

Strategic  agility  -  the  ability  to 
implement  new  business  initia¬ 
tives  quickly  and  cost  effectively 
—will  be  an  increasingly  impor¬ 
tant  capability  for  enterprises  in 
2004.  IT  infrastructure  is  one  of 
critical  platforms  required  for 
strategic  agility.  Investing  in  the 
right  infrastructure  at  the  right 
time  enables  rapid  implementa¬ 
tion  of  future  electronically 
based  business  initiatives  and 
cost  reduction  of  current  busi¬ 
ness  processes— i.e.,  more  busi¬ 
ness  value.  This  session 
presents  a  framework  for  senior 
executives  to  view  IT  infrastruc¬ 
ture  in  business  terms  and  to 
lead  in  making  investment  deci¬ 
sions.  Weill  illustrates  how  firms 
successfully  implement  and 
exploit  their  IT  infrastructures 
with  several  case  studies. 

>  Do  Some  Business 
Models  Perform  Better 
than  Others? 

In  an  increasingly  connected 
business  world  the  business 


model— what  a  firm 
does  and  how  they 
make  money— is  a 
critical  strategic 
decision.  Under¬ 
standing  what  busi¬ 
ness  models  are 
used,  how  they  are 
combined,  and  which  are  most 
successful  is  important  for  every 
senior  manager.  In  addition, 
firms  implementing  each  model 
use  IT  differently— resulting  in 
different  IT  portfolios.  This  pres¬ 
entation  provides  a  new  and 
powerful  way  to  analyze  a  firm's 
business  model  and  then  think 
about  the  IT  needs. 

>  IT  Governance  Workshop 

In  response  to  strong  interest  in 
last  year's  session  on  IT  gover¬ 
nance,  Weill  leads  a  workshop 
on  how  top  performers  govern. 
He  presents  case  studies  and 
insights  from  MIT  CISR's  study 
of  effective  IT  governance  in  256 
enterprises  in  23  countries.  A 
framework  is  presented  in  this 
workshop  to  analyze  and  com¬ 
municate  governance,  illus¬ 
trated  with  cases  studies  of  top 
performers. 

>  Monday’s  Case  Study 
Workgroups 

Monday  at  lunch  we  divide  into 
small  groups  to  investigate  the 
link  between  business  strategy 
and  IT  infrastructure  in  a  new 
case  study.  The  case  is  based  on 
a  global  multi-business  unit  firm 
in  the  healthcare  industry  mov¬ 
ing  from  a  fully  decentralized 
approach  to  information  tech¬ 
nology  to  providing  some  firm¬ 
wide  IT  infrastructure.  The 
challenge  for  your  group  is  to 
advise  the  newly  appointed  CIO. 
Groups  will  report  back  with 
their  recommendations. 


The  Enterprise 
Value  Award 
Winners 

They’re  scrutinized  by  CIO  edi¬ 
tors,  Review  Board  members, 
and  our  judging  panel  of  top- 
notch  CIOs.  Meet  the  winners  of 
the  prestigious  CIO  Enterprise 
Value  Award  and  learn  how  they 
delivered  true  value. 

>  The  Value  Proposition 

Our  panel  of  CIO  Enterprise 
Value  Award  winners  talks  about 
the  ongoing  difficulty  inherent  in 
demonstrating  and  delivering  IT 
value.  How  do  you  convince  your 
CEOs,  CFOs  and  COOs— who 
may  think  IT  is  just  a  commodity, 
a  utility— that  its  intelligent 
application  and  deployment 
can  and  does  indeed  bring 
strategic  value  to  the  business. 

>  Monday  Night’s  Gala 
Awards  Ceremony  & 

Dinner 

We’ll  announce  the  winner  of 
the  Grand  CIO  Enterprise 
Value  Award— and  honor  all 
the  winners  in  the  industry  cat¬ 
egories  at  a  black-tie  recep¬ 
tion,  awards  ceremony  and 
dinner.  It's  a  great  time  to  cele¬ 
brate  with  your  CIO  peers. 

>  Conversations  with 
This  Year’s  Winners 

We  offer  breakout  sessions  with 
the  CIOs  of  this  year’s  winning 
organizations.  It’s  your  chance 
to  talk  at  a  more  intimate  level, 
discuss  their  particular  case  in 
more  detail  and  take  away  les¬ 
sons  you  can  apply  to  your  own 
organization  back  home. 


The  Peer 
Networking 

CIOs  tell  us  it’s  as  important  to 
have  opportunities  to  meet  infor¬ 
mally  with  their  peers  as  it  is  to 
participate  in  the  Retreat  ses¬ 
sions.  We  give  you  more  oppor¬ 
tunities  to  meet  and  learn  from 
moreof  your  peers  over  three 
days,  with  the  golf  tournament 
Sunday  morning,  informative 
chats  at  breakfast  and  lunch 
roundtables,  the  intensely  inter¬ 
active  case  study  workgroup  ses¬ 
sions,  and  relaxed  conversations 
during  the  daily  receptions.  And 
were  happy  to  hook  you  up  with 
other  attendees  or  corporate 
sponsors  you’d  like  to  meet. 


Sunday  Night  Special  Event 


Jimmy  Tingle  s 
Uncommon  Sense 

it’s  a  scary,  unpredictable— and 
absurd— world  we  live  in.  Satirist, 

comedian  and  com¬ 
mentator  Jimmy 
Tingle  takes  us  on  a 
highly  personalized 
tour  of  the  absurdi¬ 
ties  of  modern  life. 
You’ve  got  to  laugh 
to  survive. 


This  year’s  Enterprise  Value  Retreat 
Awards  Ceremony  is  proudly  underwrit 
ten  by 

■Omcoftware 

Assuring  Business  Availability® 


From  configuring  the  hardware  to  connecting  all  the  stovepipes,  security 
executives  need  to  tune  up  both  for  light  jabs  and  roundhouse  rights.  Executive 
Editor  Derek  Slater  talked  defensive  strategy  with  Bill  Boni  and  Ira  Winkler. 


ill  Boni  is  vice  president  and  CISO  of  Motorola. 

Ira  Winkler  is  chief  security  strategist for  Hewlett- 
Packard.  In  separate  interviews,  CSO  Executive 
Editor  Derek  Slater  discussed  with  them  their  respective 
visions  of  what's  needed  to  get  the  security  practice  in  shape. 
Both  advocated  paying  attention  to  the  little  things. 

CSO:  You’ve  both  mentioned  “the  death  of  a  thousand  cuts”  as  a 
description  of  what  security  faces  today.  What  does  that  mean? 

Ira  Winkler:  Let  me  give  you  a  recent  example.  I  was  talking  to 
somebody  at  a  large  Canadian  railroad  company.  She  said,  “I’m 
trying  to  convince  my  boss  of  the  need  for  computer  security.  And 
he  has  this  attitude  that,  first  of  all,  we’re  a  railroad  company,  we’re 
not  that  high-tech.  And,  on  top  of  that,  we’re  not  an  American  com¬ 
pany,  so  we’re  not  a  target  that  anybody  really  cares  about.’’ 

In  other  words,  the  boss  doesn’t  believe  [his  company  is]  going 
to  be  the  target  of  a  devastating  attack.  OK,  let’s  accept  that— 
because,  quite  frankly,  I  think  all  these  claims  of  terrorism  and  all 
the  FUD  work  against  us  anyway.  Still,  I  asked  if  she  was  hit  by 
Code  Red?  She  said,  Yes.  Nimda?  Yes.  Slammer?  Yes.  Other 
viruses?  Yes.  I  asked,  “Do  you  have  insiders  doing  things  that  cost 
you  a  lot  of  money?”  She  said,  “Yes,  we  have  a  lot  of  incidents  we 
have  to  investigate.  We’re  a  large  company.” 


So  I  said,  “Did  you  ever  add  up  the  costs  from  all  of  that?”  She 
said,  “No,  but  it  would  easily  be  in  the  tens  of  millions  of  dollars.” 

Bill  [Boni]  used  the  term  “the  death  of  a  thousand  cuts”  a  long 
time  ago.  There’s  a  lot  of  little  things  that,  when  added  up,  would  be 
devastating  if  it  happened  all  at  once.  And  if  you  would  do  the  basic, 
simple  things  on  an  ongoing  basis— to  protect  yourself  against  the 
small  things  that  add  up  to  a  major  loss  in  total— you’d  also  be  pre¬ 
venting  the  mythical  terrorist  attacks  and  other  large-scale  events. 

Bill  Boni:  The  way  I  look  at  it  is  that  most  organizations  don’t  have 
a  framework  for  keeping  track  of  loss,  particularly  intellectual 
property-related  loss.  As  IP  has  become  digital,  you  now  face  the 
possibility  of  it  being  misappropriated  without  having  the  loss 
detected.  It  doesn’t  become  manifest  until  an  engineer  in  your  com¬ 
pany  realizes  that  your  biggest  competitors  have  what  you  were 
expecting  to  have,  at  the  same  time— and  you  thought  you  were  a 
year  ahead  of  them.  Plus,  they  have  lower  price  points  because  they 
didn’t  have  to  spend  the  money  to  develop  it. 

So  you  [should  tiy  to]  capture  and  synthesize  a  significant 
portion  of  those  loss  events,  using  HR,  the  physical  security  groups 
and  other  branches  of  the  company  as  sensing  mechanisms. 

A  lot  of  talk  right  now  in  IS  is  about  the  software  consoles  that  do 
event  analysis  and  correlation.  I’m  talking  about  creating  an  analog 


PHOTO  BY  PHOTONICA 


October  2003  www.csoonline.com  51 


Interview:  Bill  Boni  and  Ira  Winkler 


of  that  at  the  corporate  level  that  correlates  the  technical 
aspects  of  security  with  everything  else— HR,  legal,  all 
these  different  areas.  Now  management  can  make 
better-informed  decisions  with  data,  not  just  anecdotes. 

A  lot  of  practitioners  will  take  advantage  of  a  breach 
to  say,  “Alia,  see,  we  need  to  protect  our  IP."  But  the 
counterargument  is,  “This  was  a  onetime  event.”  But  if 
you  have  a  process  in  place  that  allows  you  to  prove  that, 
no,  it  happened  three  times  in  the  last  quarter  alone.... 

The  next  important  question  is,  What’s  the  source  [of 
the  vulnerability]?  Is  it  technology?  A  legal  loophole?  A 
cultural  blind  spot  in  employees  or  management? 

Even  if  you  know  your  intellectual  property  is  leaking  out, 
how  do  you  make  that  connection  between  what’s  been 
lost  and  where  the  loophole  is? 

Boni:  This  is  where  you  go  back  to  the  fundamentals  of 
counterintelligence.  Information  security  can  make  its 
best  contributions  when  you  use  the  whole  suite  of  tools 
and  techniques  with  a  counterintelligence  mind-set. 

Another  example.  If  someone  is  scanning  the  internal 
network,  your  internal  intrusion  detection  system  goes 
off,  and  typically  somebody  from  IT  calls  the  employee 
who’s  doing  the  scanning  and  says,  “Stop  doing  that.” 

And  he  replies,  “Oh,  I  was  just  testing  this  thing  for  my 
college  class  on  IT  management.  I  won’t  do  that  again.” 

He  offers  you  a  plausible  explanation,  and  that’s  the  end  of  it. 
Throughout  the  history  of  IP  theft,  this  is  how  it  always  goes.  HR 
sees  one  thing,  physical  security  sees  the  guy  “accidentally”  carry¬ 
ing  out  documents  (“Oops...I  didn’t  realize  that  got  into  my  brief¬ 
case”),  and  the  IT  people  see  the  scanning  incident.  But  nobody 
puts  them  all  together  to  realize  it’s  the  same  guy! 

With  IP  theft,  you  can’t  always  determine  that  it  was  Professor 
Plum  in  the  library  with  the  lead  pipe.  But  [by  adopting]  a  coun¬ 
terintelligence  mind-set  you  can  identify  gaps  in  your  protection 
scheme.  Sometimes  it  [really]  is  accidental;  I’ve  worked  cases 
where  they  did  high-level  internal  product  announcements  at  a 
ritzy  offsite  and  left  copies  of  printouts  lying  around.  Sometimes 
it’s  not  accidental.  People  in  other  countries— Ira  has  seen  this— 
send  in  “dummies”  who  get  jobs  in  the  payroll  department,  and 
[once]  they’re  there  for  several  months  there’s  very  good  likelihood 
they’ll  be  able  to  access  valuable  documents. 

The  protection  mechanisms  are  too  disjointed.  Just  as  in 
infosec,  we  have  challenges  putting  together  the  big  picture.  The 
challenge  [in  IP  loss  prevention]  is  how  to  pull  together  all  those 
other  sensoiy  mechanisms:  access  cards,  legal  policies,  areas  where 
product  models  and  mockups  are  done.  You  have  to  consider 
those  as  sensing  devices  or  places  where  you  can  potentially  detect 
behaviors.  But  they  don’t  [usually]  get  correlated  in  any  meaning¬ 
ful  way  in  most  organizations. 

Winkler:  It’s  hard  to  put  a  dollar  figure  on  data  or  IP  loss.  When  it 
happens  and  they  talk  about  prosecuting  hackers,  they’ll  say  I’ve 


lost  millions  of  dollars  to  this.  In  fact,  there  was  the  recent  case 
[involving]  Lockheed  Martin  and  Boeing  where  they  were  talking 
billions  of  dollars.  However,  I  don’t  think  Lockheed  Martin  took  a 
billion-dollar  loss  on  its  balance  sheet.  Very  rarely  do  they  declare 
the  loss  in  an  accounting  procedure.  And  if  you  don’t  do  that,  your 
executives  aren’t  going  to  think,  “We  can  protect  ourselves  against 
IP  theft  and  save  ourselves  millions  of  dollars  a  year!” 

So  again,  what  security  managers  and  CIOs  should  do  is  add  up 
the  little  losses,  which  will  add  up  to  a  big  loss,  and  then  put  their 
security  programs  in  place  by  adjusting  for  the  little  things. 

You  touch  on  the  intersection  of  corporate  or  operational  security 
issues  and  info  security.  Ira,  you  have  a  story  where  you  were  doing 
penetration  tests  at  a  client  company  and  were  able  to  walk  out  with 
critical  engineering  documents  that  you  found— not  in  the  engineer¬ 
ing  department  but  in  the  graphics  department. 

Winkler:  Right.  The  CEO  has  the  graphic  arts  department  at  his 
beck  and  call,  and  its  responsibility  is  to  make  documents  look 
pretty.  Now,  the  graphic  arts  people  think  of  themselves  as  artists; 
they’re  not  thinking  about,  “Hey,  I  have  some  of  the  most  valuable 
documents  in  the  company  on  my  server.”  Obviously,  if  you  go  to 
the  financial  group  and  say,  “I  want  to  see  your  financial  data,” 
they’ll  laugh  you  out  of  the  office.  But  if  you  go  to  the  graphic 
artists  and  say,  “Can  I  take  a  look  at  your  computers  for  a 
minute?”— they’ll  say,  “Sure,  why  not.”  So  people  have  to  under¬ 
stand  that  there  are  many  places  where  valuable  data  goes.  And, 
ironically,  some  of  the  most  valuable  data  gets  sent  to  places  where 
they  think  the  data’s  irrelevant. 


52  www.csoonline.com  October  2003 


PHOTO  BY  CADE  MARTIN 


That  makes  an  argument  for  active  cooperation  of  all  security  groups. 
It  also  makes  a  case  for  the  concept  of  Defense  in  Depth:  Deempha- 
size  the  perimeter-oriented  approach  to  security  and  start  thinking  in 
terms  of  layers  of  internal  defense. 

Winkler:  Defense  in  Depth  is  actually  a  Department  of  Defense 
concept.  The  DoD  has  been  using  it  for  a  long  time.  Most  people 
start  thinking  of  defense  at  the  perimeter,  but  Defense  in  Depth 
[advocates]  treat  each  piece  of  the  network  as  its  own.  It’s  not  a 
new  term,  but  it’s  getting  more  publicity  as  more  defense  people 
end  up  in  private  industry.  It’s  a  darn  good  term. 

If  you  adopt  Defense  in  Depth,  you  eliminate  the  debate  about  which 
constitutes  the  bigger  threat— internal  or  external  breaches— which 
seems  like  a  pointless  question  anyway. 

Winkler:  At  one  level,  it’s  pointless,  because  I’ve  always  said  threat 
is  irrelevant.  It’s  irrelevant  whether  they’re  a  teenager,  an  insider 
or  an  outsider— someone  is  going  to  try  to  get  you.  But  different 
threats  do  have  different  levels  of  resources  they  can  throw  at  you. 
Teen  hackers  may  scan  your  website  for  a  while,  and  then  maybe 
they  make  a  phone  call  to  try  some  social  engineering.  But  then 
they  go  away.  However,  if  you  are  a  [financial  sector]  company, 
you  are  also  potentially  threatened  by  outsiders  who  want  to  steal 
money.  And  if  you’re  talking  about,  potentially,  more  organized 
criminals  or  competitors,  they  will  get  a  job  inside  your  company 
or,  more  likely,  recruit  someone  who’s  already  inside  to  steal 
information  for  them.  So  you  have  to  do  Defense  in  Depth. 

Back  to  the  money  question.  We  have  written  several  articles  saying 
that  CSOs  need  to  do  a  better  job  quantifying  the  cost  of  a  breach, 


cost-benefit  to  my  company.  I  need  to  keep  it  not  only  out  of  court, 
but  profitable.  I  would  argue  that,  theoretically,  Enron  might  have 
done  due  diligence,  but  we  all  know  where  it  ended  up.  Due 
diligence  basically  says  that  as  long  as  your  CEO  can’t  be  sued  if 
the  company  goes  bankrupt,  you're  fine. 

Let’s  talk  more  about  standards  and  regulations.  We  recently  sur¬ 
veyed  readers  about  whether,  since  budget  justification  is  so  difficult, 
there  should  be  more  regulation.  We  got  a  very  mixed  response. 

Winkler:  You  have  to  realize  that  a  regulation,  if  nothing  else,  is 
going  to  [apply]  a  uniform  standard  across  a  large  number  of 
computers.  It’s  never  going  to  be  perfect,  but  it  can  be  reasonable. 
If  you  want  good  [proposed]  regulations,  here  are  three. 

First  is  to  configure  systems  according  to  an  acceptable  guide¬ 
line  from,  say,  the  Center  for  Internet  Security,  from  the  National 
Security  Agency  or  from  the  vendors— freely  available  [specifica¬ 
tions]  that  have  gone  through  industry  peer  review. 

Second,  manage  [systems]  correctly  with  a  patch-management 
program.  Fixing  bugs  within,  generally,  three  months  allows  you 
to  be  relatively  secure.  If  you  graph  the  CERT  Coordination  Center 
data,  most  exploits  begin  to  rise  after  about  three  months.  The 
activity  hits  a  peak  and  then  comes  back  down  around  six  months. 
So  that  means  if  you  fix  a  vulnerability  within  one  to  three  months, 
the  likelihood  of  your  being  exploited  is  acceptable. 

Third,  network  administrators  should  be  reasonably  well 
trained.  When  computers  were  first  coming  out,  I  [heard  about]  a 
company  that  took  its  secretary  and  said,  “OK,  you  know  Microsoft 
Word  and  Excel,  so  we’re  making  you  our  Unix  administrator.” 
True  story.  That’s  the  type  of  environment  we  were  in.  But  today, 


If  I’m  a  good  security  person,  I  have  more  to  worry  about 
than  just  preventing  a  lawsuit;  I’m  supposed  to  supply  a 
good  cost-benefit.  I  need  to  keep  my  company  not  only 

out  of  court,  but  profitable  ■  ”  -IRA  WINKLER,  CHIEF  SECURITY  STRATEGIST, 

HEWLETT-PACKARD 


return  on  security  investments  (ROSI)  and  so  on.  Donn  Parker,  of  SRI 
International  fame,  wrote  in  to  say  that  that’s  the  wrong  approach; 
it’s  really  about  due  diligence.  A  lot  of  people  say  you  can’t  calculate 
ROSI.  Is  it  a  red  herring? 

Winkler:  There’s  a  big  difference  between  due  diligence  and  secu¬ 
rity.  Due  diligence  says  I  might  suffer  a  loss,  but  nobody  can  sue 
me  for  it.  Security,  instead,  needs  to  be  approached  from  the 
standpoint  of  balancing  my  risk.  If  there  was  some  great  standard 
out  there,  some  good  laws  that  said  here’s  what  you  must  do 
specifically  in  terms  of  information  security,  then  taking  a 
due  diligence  approach  might  be  acceptable. 

But  if  I’m  a  good  security  person,  I  have  more  to  worry  about 
than  just  preventing  a  lawsuit;  I’m  supposed  to  supply  a  good 


just  as  you  need  well-trained  mechanics  to  fix  an  airplane,  you 
need  well-trained  administrators  to  maintain  your  systems.  Some 
companies  are  going  to  say,  “I  can’t  afford  to  send  my  people  to  a 
class  to  learn  how  to  do  this  well.”  But,  to  me,  if  you  can’t  afford  to 
do  the  basics  right,  you’re  not  offering  a  secure  service  to  your  cus¬ 
tomers,  and  maybe  you  shouldn’t  be  in  business. 

In  raising  the  notion  of  “reasonable  regulations,”  you  talk  about 
basing  regulatory  decisions  on  historical  data  such  as  the  CERT 
diagrams.  Another  analogy  that  might  be  useful  is  the  process  of 
legally  mandated  auto  inspections.  You  have  to  maintain  a  car  to 
certain  benchmark  specs,  and  you  ought  to  maintain  your  computer 
systems  similarly. 


October  2003  www.csoonline.com  53 


Interview:  Bill  Boni  and  Ira  Winkler 


Winkler:  By  installing  your  computers  well,  you  can  keep  them 
up  and  running.  Turning  off  unnecessary  processes  makes  the 
systems  more  efficient.  This  is  where  security  is  increasing  per¬ 
formance.  People  lose  track  of  the  fact  that  patches  don’t  all  have 
to  do  with  security  [vulnerabilities].  They  sometimes  have  to  do 
with  functionality.  Doing  a  security  program  makes  your  systems 
more  functional,  more  stable. 

Unfortunately,  better  patching  alone  won’t  make  information  security 
work.  Looking  over  the  PricewaterhouseCoopers  global  survey 


Boni:  I  think  it’s  getting  better,  but  at  the  same  time  more  compli¬ 
cated  and  challenging.  Once  upon  a  time,  a  good  security  program 
was  an  array  of  technology  safeguards.  Increasingly,  the  value  add 
is  how  to  enable  the  business  by  strategic  application  of  technolo¬ 
gies  or  functionality— facilitating  alliances  and  partnerships,  for 
example.  The  technical  foundation  is  not  eliminated;  it’s  table 
stakes.  But  now  the  infosec  pro  has  to  move  into  the  realm  of 
understanding  that  what  [business  executives]  want  is,  of  course, 
to  be  able  to  do  the  new  business  or  the  product  or  the  approach. 
And  the  security  pro  can’t  respond,  “That’s  never  going  to  fly,  never 


With  IP  theft,  you  can’t  always  determine  that  it  was 
Professor  Plum  in  the  library  with  the  lead  pipe.  But  a 
counterintelligence  mind-set  helps  you  identify  gaps  in  your 
protection  scheme  that  make  you  vulnerable.”  -bill  boni,  ciso, 

MOTOROLA 


results  (see  “The  State  of  IT  Security  2003,”  Page  38),  the  only  clear 
conclusion  is  that  corporate  infosec  is  a  mess.  There’s  a  bizarre  lack 
of  correlation  between  spending  and  efficacy,  for  example. 

Boni:  You  don’t  have  metrics  in  most  cases  to  measure  the  nature 
of  a  loss;  and  even  if  you  do,  how  do  you  use  them  to  determine 
controls  that  will  be  effective  to  prevent  that  loss  in  the  future? 

You  would  almost  need  a  prestate  array:  “Before  we  got  hit,  we 
were  experiencing  this  many  problems;  and  after  we  implemented 
this  fix,  that  number  was  reduced  by  this  much....”  But  there  are 
a  lot  of  variables  in  play  at  the  same  time.  It’s  very  complex. 

I  spend  a  lot  of  my  time  understanding  what  people  are  doing 
anecdotally,  looking  at  documents,  reports  from  vendors,  articles 
in  periodicals  such  as  CSO.  I’m  also  on  a  number  of  mailing  lists. 
What  I’m  looking  for  is  what’s  actually  happening,  what’s  the 
experience  of  my  trusted  colleagues.  Information  security  is  still 
too  much  of  an  arcane  art  right  now  and  not  enough  science.  We’re 
trying  to  develop  the  Six  Sigma  methodology  for  IS.  I  think,  over 
time,  that  kind  of  process  wall  give  us  a  better  basis  for  having  dis¬ 
cussions  with  corporate  management.  Now  you’re  starting  to  see 
that,  for  example,  if  you’re  rolling  up  your  enterprise  antivirus 
stats.  Same  with  vulnerability  tools,  if  you’re  rolling  those  up 
across  your  company.  Then  you  can  say  to  management,  “Here’s 
our  starting  position,  and  our  goal  is  to  reduce  those  incidents  by 
an  order  of  magnitude,”  and  being  able  to  report  back  later: 

“Here’s  our  result,  here’s  our  goal,  here’s  the  variance,  and  here’s 
how  we  explain  the  variance.” 

The  CEO’s  team  will  alwrays  say  “give  me  the  data.”  Because 
when  you’re  talking  to  the  CFO,  for  example,  the  whole  nature  of 
managing  business  is  measuring  risk  versus  potential  reward.  But 
my  more  technical-minded  brethren  tend  to  see  things  as  binary. 

You’ve  been  involved  in  security  for  many  years.  From  where  you  sit, 
what’s  the  state  of  infosec  today?  Better?  Worse? 


ever.”  Instead,  you  have  to  start  with,  “OK,  there  are  risks,  and 
here  are  some  approaches  to  managing  the  risks.  Here’s  the  deci¬ 
sion  matrix,  and  here’s  my  recommendation.”  It’s  more  like, 

“Here’s  your  menu  of  options,  and  would  you  like  fries  with  that?” 

Care  to  hazard  a  guess  as  to  how  many  information  security  people 
understand  that  concept? 

Boni:  Well,  a  manager-level  employee  may  not  be  personally 
equipped  to  have  that  dialogue  or  may  not  be  organizationally  well 
placed  [for  it].  You  can  pretty  much  track  the  maturity  of  the  secu¬ 
rity  program,  typically,  by  its  placement  within  the  company.  As 
we  see  more  CISOs  put  in  place,  that’s  becoming  part  and  parcel  of 
how  they  interact  with  upper  management. 

It  seems  like  a  race  to  see  whether  a  critical  mass  of  companies  can 
reach  that  level  of  maturity  before  regulation  becomes  a  necessity. 
The  Department  of  Homeland  Security  has  expressed  a  preference 
against  regulation  and  is  in  favor  of  public-private  partnerships.  The 
DHS  is  counting  on  the  private  sector  getting  its  cybersecurity  in 
order  out  of  something  like  enlightened  self-interest. 

Boni:  I  attended  a  meeting  where  Tom  Ridge  and  key  DHS  staff 
came  to  speak,  and  there  was  some  very  pointed  questioning  by 
attendees  and  a  certain  amount  of  private-sector  skepticism.  But 
my  sense  is  that  Ridge  understands  that.  And  [partnership]  is  the 
right  way  to  approach  it.  They’re  talking  about  maybe  assigning 
Secret  Service  agents  to  banks  and  big  brokerages  to  help  interpret 
laws  and  regulations,  so  there’s  nobody  who  accidentally  handles 
things  the  wrong  way  due  to  a  lack  of  understanding.  They’d  take 
the  posture  that,  “We’re  here  from  the  government  to  help  you,  be 
a  copilot,  help  interpret  our  mind-numbing  array  of  existing  regu¬ 
lations.”  But  also  to  help  disseminate  information  and  analysis  and 
provide  reports  to  the  security  officers;  for  example,  "Here’s  a  scam 
we’ve  seen,  and  here’s  how  it  w'orks.”  Bingo.  That’s  the  kind  of 


54  www.csoonline.com  October  2003 


PHOTO  BY  BOB  STEFKO 


information  I  want  as  a  private-sector  employee.  I’m  happier  if  we 
can  use  our  understanding  of  criminal  mechanisms  to  prevent 
cybercrime,  not  just  penalize  wrongdoers  after  the  fact.  Let’s  turn 
government  into  a  learning  organization. 

That  is  the  analog  to  the  cyberunderground  mechanism  that 
shares  information:  “Hey,  this  is  how  this  exploit  works,  let’s  add 
something  and  go  hack  someone!”  The  Rand  Corp.  [an  independ¬ 
ent  think  tank]  has  a  study  called  “The  Advent  of  Netwar”  [avail¬ 
able  at  www.rand.org/publications/MR/MR789 ]  that’s  an 
excellent  study  of  that  kind  of  network-model,  loose  organization. 
The  more  traditional  model  in  government  is  to  send  all  the  infor¬ 
mation  to  the  center  point  and  then  sit  back  and  expect  them  to  be 
the  ones  who  act.  Hierarchies  like  that  are  at  a  tremendous  disad¬ 
vantage  versus  a  network-model  group  of  attackers.  So  let’s  build  a 
network-enabled  group  of  defenders.  Information-sharing  from 
point  to  point  as  well  as  point  to  center  has  great  potential  and  is 
going  to  be  required  to  have  an  effective  societal  response  to  cyber¬ 
crime  or  terrorism.  Community  policing  in  cyberspace. 


Do  you  think  the  government  is  going  to  achieve  that  model  of 
network-enabled  defense,  powered  by  information  sharing? 

Boni:  The  challenge  is  for  us  to  give  the  government  folks  a 
chance  to  prove  that  they  can  really  do  it  that  way.  They’re  all  say¬ 
ing  this— the  FBI,  the  Secret  Service,  everybody.  If  it  takes  root,  it 
will  become  a  virtuous  reinforcing  circle.  Once  it  shows  payoff  for 
people  who  participate  and  share  information,  a  community  of 
interest  is  formed.  Instead  of  the  “Gee,  I’m  really  glad  they  didn’t 
hit  me"  model.  It  has  to  show  a  meaningful  benefit  for  active 
participation. 

Whereas  if  you  just  write  regulations  that  mandate  the  use  of 
specific  defensive  technologies,  it’ll  be  the  Maginot  Line  in  cyber¬ 
space,  massively  obsolete  by  the  time  you  get  it  in  place.  Protecting 
against  the  last  threat,  not  the  next  one. 


Some  Fortune  500  corporate  security  honchos  have  expressed  a 
strong  sense  that  security,  generally,  is  at  a  historic  inflection  point- 
being  driven  toward  its  fulfillment  by  a  confluence  of  factors:  terror¬ 
ism,  yes,  the  creation  or  elevation  of  executive  positions,  a 
sort  of  slow  corporate  awakening  to  the  importance  of  risk 
management  and  security.  Do  you  agree? 

Winkler:  I  don’t  think  we’re  at  the  inflection  point  yet, 
and  I’ll  tell  you  why.  There’s  a  difference  between  should 
and  must.  Everybody  says  we  should  be  secure,  and 
managers  today  are  saying  we  should  be  secure.  The 
question  is  when  are  the  managers  going  to  say  we  must 
be  secure? 

You  can  go  back  a  decade  and  hear  people  saying, 

“We  want  to  be  secure,  we  want  to  provide  the  best  serv¬ 
ice  to  our  customers,  we  want  to  secure  their  data  and  so 
on.”  But  when  do  people  actually  make  security  a  must? 
Citibank  did  after  the  Vladimir  Levin  incident.  A  lot  of 
banks  made  security  a  must  because  they  learned  a  little 
from  Citibank’s  pain  and  their  own.  Because,  let’s  face  it, 
every  bank  loses  money  to  computer  theft;  they  just 
don’t  all  admit  it. 

I  don’t  see  it  until  regulations  or  third-party  liability 
lawsuits  or  something  else  forces  people  to  start 
addressing  it  in  the  proper  way.  What  will  get  compa¬ 
nies  all  the  way  there  is  when  government  says  you  have 
to  do  it,  or  else  when  insurance  companies  say  that,  if 
you  want  director’s  and  officer’s  insurance,  you  have  to 
have  an  appropriate  program.  HIPAA,  Gramm-Leach- 
Bliley  and  so  forth  are  a  start,  but  until  I  see  some  large- 
scale  efforts  to  go  beyond  specific  industries,  I  don’t 
think  we’re  at  that  inflection  point  yet.  B 


You  Ask,  They  Answer 

CSO  gathers  industry  experts,  like  Ira  Winkler  and  Bill  Boni,  for  its 
SECURITY  COUNSEL  feature.  Previously,  Winkler  answered  readers’ 
questions  about  protecting  intellectual  property.  In  November,  read 
Boni's  session  on  infosec  by  visiting  www.csoonline.com/counsel 


October  2003  www.csoonline.com  55 


i*a 

$$*§8  I 

We  see  management 
a  little  differently 
from  the  other  guys. 


At  NetlQ,  we  don't  see  a  problem.  Only  solutions. 
Managing  your  Windows  server  environment  is  easier 
than  ever  with  Microsoft  Operations  Manager.  And, 
as  a  key  Microsoft  partner,  NetlQ  extends  Microsoft 
Operations  Manager  to  manage  and  secure  your 
entire  enterprise,  whether  you're  driving  UNIX, 
NetWare,  Linux,  Windows. ..or  all  of  them.  NetlQ. 
We're  the  management  people.  And  nobody  does 
management  smarter.  Nobody. 


CIO  eBook!  Get  your  free  copy  of  From  Chaos  to  Control: 
The  CIO's  Executive  Guide  to  Managing  and  Securing 
the  Enterprise,  www.netiq.com/manageability 


0. 

netSQ 

Work  Smarter* 


Copyright  2003  NetlQ  Corporation.  All  rights  reserved. NetlQ  and  the  NetlQ  logo  are  registered  trademarks  of  the  NetlQ  Corporation. 
All  other  names  and  products  mentioned  herein  may  be  the  registered  trademarks  of  their  respective  companies. 


Technologies,,  Tools 
and  Tactics 


Under  Attack 

Can  your  systems  really  benefit  from  penetration  testing?  By  Simson  Garfinkel 


OMETHING  WAS  WRONG  with  the  Web  server. 
It  was  nearly  5:30  p.m.,  and  no  mail  had  been  delivered  for 
roughly  an  hour.  When  I  logged  on,  I  discovered  that  the 
disk  partition  dedicated  to  incoming  e-mail  was  pegged  at  102 
percent  of  capacity.  And  on  my  server,  the  system  load— a 
measure  of  how  hard  the  computer  is  working— had  jumped 
from  its  normal  level  of  0.5  to  an  all-time  high  of  27-  Perhaps 
all  this  was  related  to  the  fact  that  my  server,  which  normally 
takes  close  to  8,000  hits  a  day,  had  received  more  than  20,000 
hits  during  the  past  two  hours— many  of  those  hits  request¬ 
ing  URLs  that  looked  suspicious. 

My  system  was  clearly  under  attack.  But  by  whom?  Then  I 
remembered:  I  had  asked  SPI  Dynamics  to  unleash  its  web¬ 
site  auditing  tool,  Weblnspect,  against  my  home  server.  Not 
just  any  auditing  tool,  Weblnspect  is  specifically  designed  for 
penetration  testing  Web-based  applications.  The  program 
uses  a  Web  spider  to  map  out  every  page  on  the  server,  exam¬ 
ines  each  page  for  Web  errors  that  an  outsider  could  exploit, 
and  then  tries  to  exploit  them. 

“Go  ahead  and  whack  my  system,”  I  had  told  the  company 
two  days  before  the  incident.  And  so  it  did. 

Now  if  this  had  been  a  normal  attack,  I  would  have 
responded  by  setting  up  a  rule  blocking  my  server  from  the 
attacker’s  IP  address.  But  not  this  time,  because  I  wanted  SPI 
Dynamics  to  use  its  tool  against  my  website— I  wanted  to 
know  if  I  had  any  vulnerabilities.  What  I  hadn’t  expected  was 
that  the  tool  would  find  the  one  script  on  my  Web  server  that 
required  10  CPU  seconds  to  run,  and  then  repeatedly  run 
that  script  30  times  a  minute,  firing  off  each  new  request  long 
before  the  previous  one  had  a  chance  to  finish.  That’s  why  the 
load  on  my  server  had  spiked. 

Accidents  like  that  have  given  penetration  testing  a  bad 


ILLUSTRATION  BY  ANASTASIA  VASILAKIS 


October  2003  www.csoonline.com  57 


name  in  the  past.  The  goal  of  penetration 
testing  is  to  find  vulnerabilities  in  production 
systems  so  that  those  vulnerabilities  can  be 
patched.  But  if  the  person  conducting  the 
test  doesn’t  apply  extreme  care,  the  test  itself 
can  become  destructive.  Such  situations 
quickly  escalate  from  being  mere  embar¬ 
rassments  to  becoming  full-fledged  money¬ 
losing  events.  Oops. 

Penetration  testing  goes  back  decades.  In 
the  1970s,  members  of  the  U.S.  military  set 
up  “tiger  teams”  or  “red  teams”  with  hotel 
rooms  filled  with  communications  equip¬ 
ment.  Their  goal  was  to  see  if  they  could 
break  into  sensitive  computer  systems  or 
communications  links  run  by  other  groups 
inside  the  military.  A  few  security-conscious 
companies  outside  the  defense  establishment 
started  pen-testing  in  the  1980s.  Sometimes 
the  attacks  were  physical,  sometimes  they 
relied  on  social  engineering,  and  sometimes 
they  were  purely  electronic.  Alas,  they  were 
almost  always  effective. 

I’ve  never  been  a  particularly  big  fan 
of  pen-testing  for  the  simple  reason 
that  a  negative  report  from  the  red  team 
doesn’t  always  convey  useful  information. 
Certainly,  if  the  testers  find  a  way  to  break 
into  your  system  and  they  tell  you,  then  you 
can  fix  the  hole.  But  what  if  they  don’t  find  a 
way  to  break  in?  It  could  mean  there  is  no 
hole  to  be  found— or  it  could  mean  the  testers 
just  didn’t  find  it.  In  the  worst  case,  the  pen- 
testers  do  find  a  way  in,  but  they  don’t  tell  you 
about  it.  Instead,  they  sell  the  information  to 
your  competitors,  or  they  leak  it  to  the  press, 
or  they  just  use  it  themselves  for  their  own 
personal  enrichment. 

How  often  do  such  nightmare  problems 
happen?  Nobody  is  sure.  In  one  case  I  heard, 
a  company  that  was  hired  to  penetrate  the 
network  belonging  to  company  A  acciden¬ 
tally  broke  into  the  network  of  company  B, 
which  had  set  up  a  leased  line  with  company 
A  for  sharing  special  information.  Hilarity— 
and  a  lawsuit— ensued.  In  another  case,  the 
penetration  testing  company  outsourced  to 
one  of  its  friends.  Unfortunately  for  every¬ 
body,  those  friends  turned  out  to  be  real,  live 
criminals. 

Clearly,  you  have  to  trust  your  penetration 
testers.  But  they  have  to  trust  you  too,  which 
is  another  delicate  aspect  of  this  all-but- 
unsavory  auditing  practice.  Before  SPI 


Storing  the  Mind 

Intellectual  property,  or  IP— a  broad  term  covering 
patents,  trade  secrets,  engineering  documents, 
customer  lists  and  the  like— is  harder  than  ever  to 
protect,  now  that  much  of  it  is  stored  digitally. 

(For  more  about  the  underlying  problems  of  IP,  see 
“Fighting  Trim,”  Page  50.) 

For  that  reason,  a  broad  variety  of  new  IP  protection 
tools  are  flooding  the  marketplace.  They  go  by 
different  names— digital  rights  management,  water¬ 
marking,  copy  detection, 
digital  access  control. 

Eric  Ogren,  who  tracks 
this  market  as  security 
and  software  solutions 
senior  analyst  at  The 
Yankee  Group,  says  a 
critical  question  is  which 
vendors  will  come  out 
ahead-the  document 
management  giants  now 
looking  to  incorporate 
security  right  into  their 
products  or  smaller  com¬ 
panies  building  their  own 
IP  security  infrastruc¬ 
tures  from  scratch.  Ogren  says  the  smaller  companies 
face  a  daunting  challenge,  given  that  they  are  not 
always  supported  by  those  who  produce  most  of  the 
documents  that  need  to  be  secure.  But  he  does  see 
some  success  in  smaller  companies  making  a  move 
toward  policywide,  business-unit  protection  where  the 
decision-making  power  for  protecting  documents  rests 
with  managers  and  executives,  rather  than  being  made 
on  a  document-by-document  basis  by  individual  users. 

Ogren  says  a  leader  in  this  area  is  Liquid  Machines, 
which  focuses  on  the  internal  distribution  and  access  of 
documents.  Liquid  Machines’  eponymous  product 
places  control  in  the  hands  of  company  executives, 
compliance  officers  and  department  heads.  For  exam¬ 
ple,  whoever  is  in  charge  of  the  HR  department  can,  via 
a  simple  Web-based  interface,  decide  which  employee 
can  access  certain  digital  assets  and  whether  that 
employee  can  print  particular  documents  or  forward 
them.  And  if  the  status  of  an  employee  changes,  his 
access  can  be  changed  easily  through  this  same 
interface. 

Access  can  also  be  set  at  the  individual  document 
level.  For  example,  a  department  head  can  ensure  that 
a  specific  document  may  be  viewed  for  only  a  week 
from  the  time  it  was  sent  out.  The  same  supervisors 


can  monitor  who  is  reviewing  what  data  and  to  whom 
they  are  forwarding  the  data.  Protection  can  be  added 
to  new  documents  as  they  are  created  and  also  to 
already  existing  documents. 

Verdasys’s  Digital  Guardian  is  another  new  prod¬ 
uct  grabbing  corporate  users’  attention  in  this  arena. 

Ogren  says  an  innovator  in  controlling  external 
access  to  content  is  eMeta.  eMeta’s  clients  mainly 
consist  of  print  and  online  publishing  companies  look¬ 
ing  to  restrict  access  to 
their  content.  eMeta’s 
product  in  this  market  is 
RightAccess,  which 
provides  a  Web-based 
infrastructure  with 
advanced  authorization 
and  delegation  capabili¬ 
ties.  These  capabilities 
allow  clients  to  protect 
and  manage  access  to 
their  websites’  content. 

With  RightAccess, 
right  to  use  can  be  con¬ 
trolled  by  number  of 
page  views,  downloads 
or  even  article  bundles.  RightAccess  first  requires 
clients  to  define  their  product,  that  is,  what  is  an  article, 
research  report  or  book.  From  there,  parameters  can  be 
set  surrounding  that  defined  product.  For  example,  one 
of  eMeta’s  clients  is  The  New  York  Times ,  and  one  way 
it  controls  online  access  to  its  newspaper  stories  is 
though  giving  users  viewing  privileges  for  a  fixed  num¬ 
ber  of  stories  during  a  set  time  period. 

As  technology  advances,  the  IP  protection  market 
will  remain  in  flux.  One  of  the  older  independent 
companies  in  the  space,  InterT rust  Technologies, 
recently  decided  to  shelve  its  products,  head  back  to 
research  and  development,  and  resurface  instead 
with  patents-protection  ideas  that  other  companies 
can  install  themselves.  InterT rust  has  been  around 
for  13  years,  selling  mostly  to  the  media  industry. 

CEO  Talal  Shamoon  says  he  realized  about  a  year  and 
a  half  ago  that  digital  rights  protection  tools  were 
more  often  becoming  imbedded  into  products,  and 
he  feels  there  will  soon  be  fewer  companies  offering 
only  IP  tools.  Shamoon  says  InterT  rust  currently  has 
85  pending  patents;  its  new  business  model  is  certain 
to  be  tested  with  the  approval  and  release  of  these 
ideas. 

-Julie  Hanson 


58  www.csoonline.com  October  2003 


PHOTO  BY  GETTY  IMAGES 


Dynamics  would  whack  my  server,  it  had  me 
sign  and  fax  back  a  piece  of  paper  authorizing 
the  company  to  test  my  system.  In  the  trade, 
such  a  paper  is  called  a  “get  out  of  jail  free 
card”— after  all,  breaking  into  a  computer 
without  permission  is  in  many  jurisdictions  a 
prosecutable  offense. 

So  what’s  the  problem?  SPI  Dynamics 
assumed  that  the  permission  was  mine  to 
give!  It’s  easier  to  imagine  that  a  person 
interested  in  the  secrets  of  a  company  would 
pose  as  an  employee  of  that  company  than 
hire  an  outside  team  to  conduct  a  penetration 
test.  (In  fact,  that’s  loosely  the  plot  of  the 
movie  Hackers.) 

Most  legitimate  penetration  testing  today 


is  done  by  allegedly  white  hat  or  gray  hat 
computer  hackers  who  closely  monitor  com¬ 
puters  underground,  download  copies  of  all 
the  latest  tools  and  attacks,  and  use  them 
like  individual  irons  in  a  golf  bag  for  hacking 
into  target  systems.  Is  the  target  an  older 
Linux  system?  If  so,  the  testers  might  try 
their  UW  IMAP  buffer  overflow  attack.  Does 
the  network  have  a  router?  Then  they  might 
see  if  the  machine’s  default  password  has 
been  changed. 

Weblnspect  and  a  product  from  Core 
Security  Technologies  called  Core  Impact 
are  part  of  a  new  generation  of  penetration 
testing  tools— tools  that  can  be  thought  of 
as  “attack  caddies.”  Like  traditional  vulnera¬ 
bility  scanners,  they  have  a  database  of  oper¬ 
ating  systems  and  known  vulnerabilities  for 
which  to  check.  But  when  they  find  a  vul¬ 
nerability,  they  then  figure  out  how  to  exploit 
it  and  test  to  see  if  that  vulnerability  can  be 
used  to  leverage  additional  authority  (a  tech¬ 
nique  called  privilege  escalation). 

But  back  to  my  system.  Apparently,  the 
large  number  of  log  entries  and  correspon¬ 
ding  error  reports  from  the  Weblnspect  ses¬ 


sion  had  caused  my  mail  and  log  partition  to 
overflow  (it  had  previously  been  at  95  percent 
capacity).  Fixing  that  was  easy:  I  moved  my 
Web  logs  to  a  different  disk  partition.  Mail 
started  flowing  again,  but  slowly. 

The  high  load  was  caused  by  a  different 
problem:  Weblnspect  had  discovered  that 
the  script  I  had  written  for  displaying  a  photo 
album  allowed  any  directory  on  my  server 
to  be  indexed,  and  whenever  a  new  directory 
was  indexed,  the  photo  album  program  tried 
to  create  tiny  little  thumbnails  in  the  direc¬ 
tory.  I  fixed  that  problem  by  modifying  the 
script  so  that  requests  outside  the  photo 
album  directory  would  be  summarily 
rejected.  I  should  have  done  that  when  I  first 


wrote  the  program,  of  course. 

With  the  second  fix,  the  load  on  my  system 
promptly  dropped  back  down  to  less  than  1.0. 
I  then  called  the  folks  at  SPI  Dynamics  to  get 
their  full  report.  As  it  turned  out,  the  company 
had  discovered  yet  another  vulnerability:  A 
script  I  had  written  was  vulnerable  to  so- 
called  parameter-based  cross-site  scripting.  In 
other  words,  I  had  a  script  on  my  site  that 
would  allow  a  user  to  type  in  HTML  and  send 
that  same  HTML  right  back  to  the  Web 
browser.  This  can  be  used  to  hijack  an 
authenticated  Web  session  from  the  browser 
on  the  same  site.  In  my  case,  it  would  have 
allowed  a  sufficiently  skilled  and  motivated 
attacker  to  possibly  hijack  my  Web  browser 
and  muck  with  my  MailMan  mailing  list  con¬ 
figurations. 

Overall,  I  didn’t  think  that  this  HTML 
vulnerability  was  a  particularly  big  deal.  In 
fact,  there  was  a  much  bigger  vulnerability, 
but  the  automated  testing  tool  didn’t  find  it. 
Probably  just  as  well! 

When  most  people  think  about  penetra¬ 
tion  testing,  they  think  about  top-rank 
“ethical  hackers,”  perhaps  straight  out  of  the 


Air  Force  Information  Warfare  Center,  who 
might  have  once  been  on  the  dark  side  but 
now  apply  their  skills  for  good. 

But  what  do  you  do  if  you  are  just  a  regu¬ 
lar  guy  who  wants  to  do  some  basic  penetra¬ 
tion  testing?  In  that  case,  you  might  need 
some  help. 

Core  Impact  is  a  full-blown  penetration 
workbench  that  lets  you  size  up  a  remote  sys¬ 
tem,  analyze  the  system  with  a  variety  of  data 
reconnaissance  tools,  and  then  penetrate  the 
system  using  a  variety  of  exploits  that  come 
bundled  with  the  program.  (Additional 
exploits  are  available  to  customers  who  pur¬ 
chase  support.) 

Oftentimes  in  the  world  of  penetration 
testing,  the  penetration  tester  will  break  into 
one  machine,  only  to  discover  that  a  second 
machine  can  be  reached  from  the  first— and 
perhaps  a  third  from  the  second  and  so  on. 
Some  attackers  call  this  “network  weaving”  or 
“leapfrogging.”  It’s  a  powerful  technique  that 
can  be  used,  for  example,  to  penetrate  behind 
a  company’s  firewall  by  successfully  breaking 
into  a  “trusted”  Web  server  located  on  the 
company’s  DMZ. 

Core  Impact  has  been  specially  designed  to 
make  leapfrogging  child’s  play.  Once  a  system 
is  penetrated,  Core  Impact  downloads  a  small 
agent  into  the  memory  of  the  compromised 
process.  That  agent  then  allows  the  pene¬ 
trated  system  to  be  used  as  an  attack  point 
against  other  machines  on  the  target  network, 
allowing  the  operator  to  leapfrog  his  way  in. 
Since  the  agent  resides  solely  in  the  com¬ 
puter’s  memory,  there’s  no  lasting  damage  to 
the  penetrated  machine— and  usually  no  evi¬ 
dence  of  penetration  either.  So  while  Core 
Impact  is  a  good  tool  for  penetration  testing, 
it’s  a  great  tool  for  espionage  as  well. 

No  matter  whether  you  have  your 
penetration  testing  done  with  automatic 
tools,  with  an  outsourcing  company  or  with 
your  own  insiders,  it’s  best  to  be  ever  vigilant. 
The  results  described  in  a  penetrating  test¬ 
ing  report  are  a  step-by-step  checklist  of  how 
to  break  into  your  system.  As  such,  you’re 
best  off  making  sure  it  doesn’t  fall  into  the 
wrong  hands.  ■ 

Simson  Garfinkel,  CISSP,  is  a  technology  writer  based  in 
the  Boston  area.  He  is  also  CTO  of  Sandstorm  Enterprises, 
an  information  warfare  software  company.  He  can  be 
reached  at  machineshopacxo.com. 


One  company  that  was  hired  to 
penetrate  the  network  of  another 
accidentally  broke  into  a  third  company. 
Hilarity— and  a  lawsuit— ensued.  You 

have  to  trust  your  penetration  testers. 
But  they  have  to  trust  you  too. 


October  2003  www.csoonline.com  59 


CSO  Undercover 


Title  Entitlement 

I  thought  I  ought  to  become  my  organization’s  CSO  until  a 
self-assessment  caused  me  to  think  again  By  Anonymous 


URRENTLY,  I’M  THE  VP  of  security  at  a  global  corpo¬ 
ration,  a  title  I’ve  worked  hard  to  get  and  one  of  which  I’m  proud.  But  all  the  talk 
about  CSOs  has  rfiade  me  think  about  my  role  here,  how  our  department’s  pro¬ 
file  has  changed  in  the  past  few  years,  and  how  such  a  title  might  convey  top  man¬ 
agement’s  commitment  to  what  we’re  trying  to  accomplish.  Frankly,  I  wouldn’t 
view  it  as  a  promotion,  and  this  is  not  about  more  compensation.  I  think  a  title 
change  to  CSO  represents  a  logical  next  step 
tthe  evolution  of  corporate  security  within 

So  I’ve  undergone  a  sort  of  self-assessment 
in  order  to  have  some  talking  points  when  I 
confront  my  boss.  I’ve  considered  my  place 
both  within  my  organization  and  among  my 
peers.  I  know  from  talking  to  colleagues  that 
budgets  have  tightened  and  the  number  of 
CSO  titles  have  not  appreciably  increased  in 
the  past  year  or  so.  Which  means  I’m  prob¬ 
ably  fighting  an  uphill  battle.  But  I  think  it’s 
worth  teeing  up  to  gauge  where  manage¬ 
ment  sees  our  mission  going. 

My  information  security  counterpart  in 
our  organization  is  in  a  separate  department. 

We’re  both  vice  presidents  and  work  very 
closely  for  obvious  reasons.  He  has  success¬ 
fully  captured  the  CISO  title  and  enjoys  more 
seniority  and  influence  within  the  corporate 
structure  than  the  traditional  CSO.  Chief 
risk  officers  and  chief  legal  officers  similarly 
seem  to  serve  at  a  considerably  higher  level 
than  do  physical  security  executives.  What  is 
it  that  gives  them  this  seeming  legitimacy? 

The  notion  of  chief-whatever  carries  weight  in  business  circles,  yet  the  CISO 
mantle  was  passed  virtually  without  a  peep.  My  friends  in  HR  told  me  that  was, 
in  part,  because  of  our  unyielding  reliance  on  our  technical  environment.  But  I  also 
know  that  the  CIO  talks  with  the  CEO  daily  about  risks  to  system  integrity.  He’s 
the  CISO’s  strongest  advocate  for  very  selfish  reasons.  I  have  good  relationships 
with  several  board  members,  but  I  don’t  have  that  sort  of  advocate  near  the  cor¬ 
ner  office. 

In  the  midst  of  my  introspection,  I  happened  to  receive  “Corporate  Security 
Management:  Organization  and  Spending  Since  9/H,”  a  recent  publication  from 
The  Conference  Board,  a  respected  research  organization  that  produces  confer¬ 


ences,  makes  forecasts,  assesses  trends,  and  publishes 
information  and  analysis  on  the  current  business  climate. 
I  know  a  number  of  our  senior  executives  are  members, 
so  this,  I  thought,  might  help  my  cause.  With  sponsorship 
from  ASIS  International,  The  Conference  Board  inter¬ 
viewed  more  than  330  security  directors,  risk  managers 
and  IT  security  officers.  More  than  half  came  from  com¬ 
panies  with  over  $1  billion  in  annual  sales.  The  purpose 
was  to  ascertain  general  patterns  of  security  manage¬ 
ment  and  to  identify  changes  in  business  functions  and 
spending  since  the  terrorist  attacks  in  September  2001. 

The  report  shed  light  on  the  current  CSO  role  within 
the  organization.  But  the  analysis  contained  within  it 
hardly  provided  me  with  the  ammunition  I  needed  to 
support  my  case  for  chiefdom. 

Given  my  desire  to  acquire  the  CSO  title,  I  had  been 
somewhat  heartened  by  a  Deloitte  Touche  Tohmatsu 
“2003  Global  Security  Survey”  that  found  that  63  percent 

of  respondents  in  the  financial 
services  industry  currently  have 
already  established  or  plan  to 
establish  CSO  or  CISO  positions 
in  the  next  two  years.  I’m  sure 
that  financial  services  people 
care  very  deeply  about  informa¬ 
tion  security,  but  I’m  also  sure 
that  they  are  not  alone  in  con¬ 
sidering  the  critical  infrastruc¬ 
ture.  Now,  I  thought,  was  the 
time  to  make  a  case  for  the 
evolving  role  of  the  senior  secu¬ 
rity  executive. 

But  I  was  chagrined  to  learn 
from  The  Conference  Board 
report  that,  of  the  companies 
queried  that  do  not  already  have 
the  position,  only  5  percent  said 
they  are  planning  to  create  a 
CSO.  In  addition,  the  report  goes 
on  to  show  that  most  security 
executives  serve  below  the  vice 
presidential  level  and  are  paid 
less  than  $150,000  per  year.  Only 
24  percent  of  the  respondents  held  the  position  of  CSO, 
although  they  didn’t  always  use  that  exact  title. 

That  jibes  with  my  view  that  the  CSO  title,  while  sexy, 
is  not  as  relevant  as  the  actual  responsibilities  that  go 
with  the  job.  I’d  wager  that,  if  you  laid  a  CSO  job  descrip¬ 
tion  beside  that  of  a  corporate  security  exec  who  owns  a 
broad  scope  of  services  with  second-  or  even  third-tier 
reporting,  you  wouldn’t  see  a  dime’s  worth  of  difference. 
We’re  untitled  CSOs.  With  the  title,  we  gain  opportunity 
for  the  greater  access  and  ability  to  get  things  done. 


60  www.csoonline.com  October  2003 


ILLUSTRATION  BY  WALTER  VASCONELOS 


The  Conference  Board  survey  suggests 
that  strategic  business  management  does  not 
loom  large  in  the  career  paths  of  security 
directors.  In  fact,  barely  one-fourth  of 
respondents  report  diversified  corporate 
management  experience.  Using  the  Interna¬ 
tional  Security  Management  Association  as 
a  sample,  I  see  a  small  but  growing  number 
of  large  corporation  security  executives  who 
have  come  to  security  by  way  of  internal  line- 
of-business  tracks.  But  if  these  “outsiders” 
fail  to  understand  the  business  aspect  of  their 
particular  company,  they’re  not  around  very 
long.  Without  such  a  foundation,  how  could 
anyone  provide  a  risk-responsive  security 
organization?  Ex-law  enforcement,  infor¬ 
mation  technology  or  other  specialist  back¬ 
grounds  have  to  earn  their  bones  just  like 
the  rest  of  the  line  senior  managers. 

Less  than  a  quarter  of  respondents  re¬ 
ported  to  the  CEO,  COO  or  CFO,  while 
almost  the  same  percentage  reported  to  the 
head  of  facilities.  If  you  peel  this  one  back, 
you’ll  likely  find  that  those  in  the  first  group 
are  in  industries  where  reputational  risks  are 
in  the  forefront;  in  the  latter  group,  theft, 
workplace  violence  and  physical  security  are 
the  primary  concerns. 

The  report— and  its  companion  report 
regarding  salaries— goes  on  to  compare  titles, 
compensation  and  spending  on  security  post- 


9/11.  The  Conference  Board  takes  into  con¬ 
sideration  where  one  sits  in  the  hierarchy 
(do  you  have  a  C-level  title?),  your  compen¬ 
sation  and  to  whom  you  report.  It  suggests 
that  a  routine  reporting  relationship  to  the 
CEO  or  COO  is  still  relatively  unusual— 
apparently  only  15  percent  of  the  sample 
reported  to  either  of  those  people. 

I’m  beginning  to  sound  like  a  whining 
malcontent,  but  at  every  place  I’ve  ever 


worked,  the  CEO  and  COO  were  reasonably 
busy  people  who  needed  to  limit  their  span  of 
control.  Did  I  have  access  when  I  needed  it? 
Did  they  listen  and  act  based  on  well- 
founded  conclusions?  And  did  they  give  me 
what  I  needed  to  get  the  job  done  within  the 
agreed-upon  scope  of  my  responsibilities? 
You  bet.  Who  cares  to  whom  I  reported? 

In  the  midst  of  my  angst,  however,  I  have 
an  epiphany!  What  if  CSOs  and  CISOs  could 
collaborate,  plot  and  actually  support  one 
another!  Oh.  My.  God.  It  kind  of  reminds 
me  of  that  song  in  the  musical  Oklahoma. 
“The  farmer  and  the  cowman  can  be  friends.” 
(Sorry.  I’m  showing  my  age.) 

Security  has  to  be  a  core  cross-business 
process  led  and  staffed  by  specially  qualified 
individuals  not  dissimilar  to  those  in  risk 
management,  personnel  management,  legal, 
ethics  and  compliance,  real  estate,  market¬ 
ing,  information  technology,  or  finance.  We 
are  all  in  the  internal  services  industiy  with 
a  captive  clientele  who  judge  us  one  trans¬ 
action  at  a  time. 

So  I’ll  come  right  out  and  admit  it:  I’m 
not  a  CISO.  I  come  from  the  less  technical 
side  of  our  business.  You  can  take  that  to 
mean  that  my  background  is  not  within  the 
more  technical  confines  of  IT  security.  You 
can  be  sure,  however,  that  for  the  IT  respon¬ 
sibilities  that  lie  within  my  accountability,  I 


have  really,  really  competent  professionals 
who  work  splendidly  beside  our  IT  people. 

I’m  trying  to  live  with  that  limitation  in  a 
digital  world.  But  I  also  have  to  live  with  the 
fact  that  some  of  the  IT  people  make  more 
money  than  my  team— an  issue  of  which  I’ve 
been  aware  since  we  started  doing  back¬ 
ground  investigations  on  them.  It’s  a  fact  of 
life,  and  those  who  yearn  for  the  CSO  title 
need  to  get  over  it.  We  need  to  reach  out  to 


our  infosec  brethren  because,  regardless  of 
what  is  now  in  their  portfolio  of  offerings, 
no  security  executive  in  the  future  can  be 
ignorant  of  information  risk  management. 
These  risks  are  simply  too  pervasive  and 
important.  Measurable  protection  cannot  be 
found  in  unconnected  silos.  Right? 

Right. 

So  here  I  am,  reconsidering  my  central¬ 
ization  and  one-silo  biases.  I  have  to  consider 
the  obvious  between-the-lines  conclusion  that 
security  responsibilities  in  some  companies 
are  business-centric. 

Is  it  possible  that  there  is  an  accountabil¬ 
ity  model  at  work  in  those  companies  that 
addresses  risk  better  than  a  centralized 
model?  Might  a  deeper  look  into  the  rela¬ 
tionships  among  security  responsibilities 
reveal  that  the  culture  rewards  collaboration 
and  an  effective  matrix  approach  to  cross¬ 
company  issues  such  as  security?  Is  the 
notion  of  a  CSO  committee  so  out  of  the  ball¬ 
park  that  our  egos  don’t  permit  such  title 
entitlement? 

What  we  need  to  do  as  security  profes¬ 
sionals  is  establish  a  set  of  protocols  that 
drive  our  collective  operations  to  share  ideas, 
integrate  security  strategies  and  plans,  and 
engage  in  cross-discipline  training.  We  need 
to  become  a  team  focused  on  the  diversity  of 
threats  that  confront  us  across  the  globe. 

Perhaps  we  could  find  a  forum  that  crosses 
the  artificial  line  of  technical  and  operational 
security,  some  way  to  bring  a  group  of  us 
together  to  develop  the  ideal  relationship.The 
debate  can  only  contribute  to  better  security 
for  our  employers  and  shareholders. 

I  think  I’ve  discovered  that  all  this  is  much 
less  about  why  nobody  at  the  top  loves  me 
enough  to  dub  me  Almighty  CSO.  It’s  about 
being  more  attuned  to  the  breadth  of  risk  to 
our  company  and  how  I  can  collaborate  with 
my  IT  colleagues  to  make  our  safeguards 
more  integrated  and  cost-effective.  Maybe, 
just  maybe,  that  sort  of  leadership  and  col¬ 
laboration  will  earn  me  some  advocacy,  and 
chiefdom  might  be  the  reward. 

Thanks  Conference  Board.  I’ll  be  inter¬ 
ested  to  see  where  we  go  during  the  next  sev¬ 
eral  years.  ■ 

This  column  is  written  anonymously  by  a  real  security 
executive.  E-mail  feedback  to  csoundercover « cxo.com. 


Those  who  yearn  for  the  CSO  title 
need  to  get  over  it.  We  need  to  reach  out  to 
our  infosec  brethren  because  no  security 
executive  can  afford  to  be  ignorant  of 
information  risk  management. 


October  2003  www.csoonline.com  61 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


Sales  and 
Services 

CSO  Sales  Offices 

President  Walter  Manninen  •  508  935-4101 
Group  Publisher 
Gary  J.  Beach  •  508  935-4202 
Publisher  Bob  Bragdon  •  508  935-4443 
Executive  VP  Sales/Custom  Publishing 
Ellen  Romanow  •  508  935-4796 

East  Coast 

Eastern  Regional  Sales  Manager 
Paul  Reiss  •  508  935-4163 
Eastern  Regional  Account  Executive 
Kim  Forrest  •  508  935-4068 
Senior  Regional  Manager 
Kathy  Powers  •  201  634-2331 

Midwest 

Regional  Director 

Robert  E.  Sawdon  •  512  306-9801 

District  Sales  Manager 

Beth  DeVillez  •  847  441-3140 

West  Coast 

Western  Regional  Sales  Manager 
Mary  Sinclair  •  415  975-2691 
Senior  Regional  Manager 
Jane  Evans  •  415  975-2680 
Regional  Manager 
Ai  Collins  •  415  975-2686 
Account  Executive 
Isaac  Ugay  •  949  475-5579 

List  Services 

List  Services  Director 
Kathryn  A.W.  Marston  •  508  935-4072 
List  Services  Account  Executive 
Stephanie  Roy  •  508  935-4151 

Online  Services 

VP/Online  Sales 
Lisa  Brown  •  508  935-4470 
Online  Sales  Manager 
Michael  McPhee  •  508  935-4611 

Custom  Publishing 

Group  Director  Michael  Siggins 
Director  Mary  Gregory 
Director  of  Content  Development 

Tom  Field 

Project  Managers  John  Danielowich. 

Amy  Greenleaf 

Graphic  Designer  Chris  Brown 


Production 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Lee  Tuttle 
Senior  Production  Coordinator 
Lisa  Stevenson 

Executive  Programs 

EP  Senior  Vice  President 

Jennifer  Richards 

Conference  Management  VP 

Cynthia  Mollus 

Marketing  Services  Director 

Shellie  Rapson  James 

Business  Development  VP  John  Amato 

Program  Operations  Manager  Brian  Fuce 

Marketing  Manager  Glede  Kabongo 

Marketing  Services  Coordinator 

Andrea  Slobogan 

Event  Development  Specialist 

Sandra  J.  Hughey 

Operations  Coordinator  Michael  Barbato 
Event  Planning  Manager  AmyTurell 
Senior  Customer  Service  Coordinator 

Sarah  Yee 

Marketing 

Executive  VP/Marketing 
Cathy  O'Leary  Hayes 

VP/News  and  Information  Susan  Watson 
Media  Relations  Manager  Karen  Fogerty 
News  and  Information  Associate 

Lori  Piscatelli 

Marketing  Research  Director 
Bridget  Cammarata 
Marketing  Research  Manager 
Carolyn  Johnson 
Sr.  Marketing  Research  Analyst 
Dylan  DiGregorio 

Marketing  Comm.  Director  Sue  Yanovitch 
Sr.  MarCom  Development  Specialist 

Kari  Curto 

Marketing  Comm.  Associate 
Sarah  Crowley 

Circulation 

Senior  VP/Circulation  Carol  A.  Spach 
Circulation  Director  Faith  Marcello 
Subscription  Svcs.  Supervisor  Tina  Pescaro 

Reprint  Services 

For  article  reprints  (500  quantity  or 
more),  please  contact  Chad  Johnston  at 
RSiCopyright  at  651  582-3800  or  e-mail 
csoreprints@rsicopyhght.com. 

For  further  sales  information,  visit 
www.  csoonhne.  com/reprints/index,  html. 


CSO  Contact 
Information 

Editorial,  Advertising  and  Business  Offices 

492  Old  Connecticut  Path,  P.O.  Box  9208, 
Framingham,  MA  01701-9208, 

508  872-0080. 

Postal  Information 

CSO  (ISSN  1540-904X)  is  published 
monthly  by  CXO  Media  Inc.,  492  Old  Con¬ 
necticut  Path,  P.O.  Box  9208,  Framingham, 
MA  01701-9208.  Periodicals  Postage  Paid 
at  Framingham,  MA  01701,  and  at  additional 
mailing  offices.  Canadian  Publications  Mail 
agreement  number  1902075.  CANADIAN 
POSTMASTER:  Please  return  undeliverable 
copy  to  P.O.  Box  1632,  Windsor,  ON 
N9A7C9. 

Permissions 

Copyright  2003  by  CXO  Media  Inc.  All  rights 
reserved.  Reproduction  of  material  appear¬ 
ing  in  CSO  is  forbidden  without  written  per¬ 
mission.  Send  requests  to  Andrew  Burrell, 
CXO  Media  Inc.,  492  Old  Connecticut  Path, 
Framingham,  MA  01701.  Telephone 
508  935-4785.  E-mail  aburreli@cxo.com. 

Photocopy  Rights 

Permission  to  photocopy  for  internal  or  per¬ 
sonal  use  or  the  internal  or  personal  use  of 
specific  clients  is  granted  by  CSO  for  users 
through  the  Copyright  Clearance  Center, 
provided  that  the  base  fee  of  $3  per  copy 
of  the  article,  plus  $.50  per  page  is  paid 
directly  to  Copyright  Clearance  Center,  27 
Congress  Street,  Salem,  MA  01970.  Please 
specify:  ISSN  1540-904x.  Permission  to 
photocopy  does  not  extend  to  contributed 
articles  followed  by  this  symbol: 

Subscriptions 

Address  inquiries  to  CSO,  P.O.  Box  3482, 
Northbrook,  IL  60065;  866  354-1125.  CSO 
is  free  to  qualified  information  executives. 

To  all  others  the  one-year  basic  rate  is  $70 
for  the  United  States  and  Canada,  $95  to 
foreign  countries  (payable  in  U.S.  funds 
only).  The  single  copy  price  is  $9.  Please 
allow  four  to  six  weeks  for  new  subscrip¬ 
tions  to  begin. 

Change  of  Address 

Please  go  to  www.omeda.com/custsrv/cso 
and  follow  the  online  instructions. 

Postmaster 

Send  change  of  address  to  CSO,  P.O.  Box 
3482,  Northbrook.  IL  60065.  Printed  in  the 
USA. 


Index  of 
Companies  and 
Advertisers 

Page  numbers  refer  to  the  first  page  of  the 
article(s)  in  which  the  company  has  a  sub¬ 
stantial  mention.  This  index  is  provided  as  a 
service  to  readers.  The  publisher  does  not 
assume  any  liability  for  errors  or  omissions. 


Company  Index 

Amazon.com  Inc . 15 

AMR  Research  Inc . 15 

Best  Buy  . 15 

Citibank  NA . 15 

Claridge  Casino  at  Bally's,  The  . 30 

Coca-Cola  Co.,  The  . 15 

Computer  Forensics  Inc . 15 

Core  Security  Technologies . 57 

Covenant  Health  . 38 

EarthLink  Inc . 15 

eBay  Inc . 38 

eMeta  Corp . 57 

Foxwoods  Resort  Casino  . 30 

Gartner  Inc . 15 

Harrah's  Entertainment  Inc . 30 

Hewlett-Packard  Co . 50 

Internet  Security  Systems  Inc . 57 

InterTrust  Technologies  Corp . 15 

KindMark . 15 

Liquid  Machines  Inc . 57 

Loronix  Inc . 30 

MessageLabs  Inc . 15 

Microsoft  Corp . 15 

Mohegan  Sun . 30 

Motorists  Insurance  Group,  The  . 38 

Motorola  Inc . 50 

PayPal . 15 

Playboy  Enterprises  Inc . 30 

PricewaterhouseCoopers . 15,  38,  50 

Rand  Corp.,  The  . 50 

SPI  Dynamics  Inc . 57 

SRI  International . 50 

Trump  Hotels  &  Casino  Resorts  Inc . 30 

TruSecure  Corp . 15 

Verdasys . 57 

Viisage  Technology  Inc . 30 

Yankee  Group,  The  . 57 

Advertiser  Index 

Anixter  Inc . 9 

Authenex  Inc . 21 

BearingPoint  Inc . 23 

Cisco  Systems  Inc . 2 

Computer  Associates  Inti.  Inc . C4 

CXO  Media  Inc . 17,  28.  48,  63 

Intense  School . 25 

Internet  Security  Systems  . 7 

LG  Electronics  U.S. A..  Inc.  Iris 

Technology  Division  . C3 

Lumigent  Technologies  Inc . 27 

NetlQ  Corp . 56 

Robert  Half  Technology  . 5 

SecurityGlobal.net . 37 

Symantec  Corp . C2 

Tripwire  Inc . 19 

Unisys  Corp . 12 

VeriSign  Inc  . 14 


62  www.csoonline.com  October  2003 


iMW 


\ 


New  Publication 


CSO  magazine  is  the  proud  recipient  of  the  prestigious 
2003  Jesse  H.  Neal  Award  for  “Best  New  Publication.” 
CSO  was  also  honored  as  first  runner-up  to  sister 
publication  CIO  magazine  for  the  Grand  Neal  Award— 
the  top  editorial  honor  granted  to  one  publication  from 
more  than  1,000  entries  across  all  categories  and 
circulation  sizes.  This  marks  the  first  time  a  new 
publication  has  received  such  prestigious  recognition 
so  early  on. 


The  Neal  Award  judges  aren't  the  only  ones  who  value 
CSO  magazine.  98%  of  CSO  readers  find  the  content 
of  CSO  relevant  to  their  jobs.* 


Often  hailed  for  its  preeminence  as  the 
“Pulitzer  Prize  of  the  business  press,"  the 
Neal  Award  is  the  business  publishing  indus¬ 
try’s  annual  salute  to  individual  editors  for 
outstanding  editorial  excellence. 

*  SOURCE:  CSO  MAGAZINE  "SECURITY  SENSOR  II," 

DECEMBER  2002 


The  Resource  for 
Security  Executives 


Dept,  of  the  Fall  Classic 


The  same  year  a  routine  ground  ball  to  first 
skated  through  Bill  Buckner’s  legs,  thus 
demolishing  the  psyche  of  Red  Sox  fans 
(including  us  here  at  Debriefing),  Major 
League  Baseball  hired  Kevin  Hallinan 
as  its  senior  vice  president  of  security  and 
facility  management.  It  was  a  position 
conjured  by  then-commissioner  Peter 
Ueberroth,  who  believed  alcohol  and  the 
security  problems  it  creates  were  a  factor 
in  dwindling  attendance. 

Since  then,  Hallinan  has  seen  and  learned 
more  about  sports  security  than  the  Red  Sox 
have  learned  about  pitching  winning  cham¬ 
pionships.  In  the  past  year  alone,  Hallinan 
had  to  deal  with  two  incidents  of  fans 
charging  the  White  Sox’s  field,  once  attack¬ 
ing  a  coach  and  once  an  umpire,  another 
incident  in  which  a  cherry  bomb  detonated 
in  the  bleachers  in  Oakland,  and  yet  another 
in  Oakland  in  which  a  spectator  beaned  an 
outfielder  in  the  head  with  a  cell  phone. 

In  May,  Hallinan  volunteered  to  become 
chairman  of  the  board  for  the  TEAM  (Tech¬ 
niques  for  Effective  Alcohol  Management) 
Coalition,  a  nonprofit  consortium  of  sports 
leagues,  vendors,  brewers,  broadcasters, 
facility  managers  and  traffic  safety  experts 
founded  in  1987.  You  can  thank  TEAM  for 
rules  we  now  take  for  granted,  like  no  beer 
after  the  seventh  inning. 

This  month,  Hallinan  takes  on  the  World 
Series,  a  major  event  both  in  terms  of 
American  sports  and  security. 


CSO:  Why  all  of  the  security  incidents  in  the 
past  year? 

Kevin  Hallinan:  The  numbers  are  small  but 
they  can  never  be  small  enough.  After  last 
year’s  incident  [when  a  first-base  coach  was 
attacked],  we  spent  the  entire  off-season 
working  with  teams  on  how  to  prevent  and 
deal  with  trespasses.  Fortunately,  we  got  an 


opportunity  to  redeem  ourselves  at  the  All- 
Star  Game,  which  took  place  on  the  same 
field  and  went  smoothly. 

What  can  you  do  about  fans  charging  the 
field? 

Well,  we've  started  to  track  these  people  and 
figure  out  who  does  it,  where  and  why.  We’ve 
learned,  for  example,  that  they  hardly  ever 
charge  the  field  from  where  their  seats  are. 
That  means  we  need  to  work  on  what  we  call 
ticket  discipline— making  sure  ushers  don’t 
let  fans  into  sections  they  don’t  belong  in. 
And  we're  hoping  stiff  penalties  will  help  too. 

The  fan  who  attacked  the  first-base  coach 
got  no  jail  time.  Just  community  service, 
rehabilitation  and  probation. 


I  testified  in  that  case.  The  judge  let  him 
walk.  It  was  disappointing.  Other  cases  have 
yielded  stiffer  penalties  and  sent  a  better 
message. 

We  have  season  tickets  to  the  Red  Sox  and 
get  patted  down  every  game.  Is  this  good 
security?  Do  you  ever  find  anything? 

It’s  helped  tremendously,  just  not  how  you 
think.  It’s  not  that  you  often  find  things,  but 
it  has  changed  what  people  bring  to  the  ball¬ 
park.  The  mere  fact  that  there  are  pat  downs 
means  people  bring  less  with  them.  They 
do  really  well  with  that  in  Boston. 

What  would  security  be  like  if  the  Red  Sox 
won  Game  7  of  the  World  Series  in  Fenway, 
grabbing  the  team’s  first  championship  since 
1918? 

I  can’t  imagine. 

Neither  can  we.  What  have  you  learned 
about  security  through  baseball? 

I’ve  learned  that  stadium  security  has  a  rip¬ 
ple  effect  [on  the  rest  of  the  community]. 
When  the  Yankees  won  in  ’96,  the  Bronx  was 
a  rockin’,  but  in  a  good  way,  because  fans 
saw  on  TV  how  positive  a  celebration  it  was 
inside  the  stadium.  A  lot  of  the  time  we’ll  be 
talking  to  a  club  and  they’ll  say,  “Hey,  Kevin, 
this  isn’t  New  York  or  Boston."  But  then  all  it 
takes  is  one  ninny  trespassing  on  their  field 
and  they  see  why  we’re  talking  to  them.  It 
can  be  quite  spooky  for  players  and  umpires. 

How  has  your  job  changed  since  9/11? 

I  used  to  say  that  while  security  was  a  24/7 
job,  the  facility  management  part  of  my  job 
was  a  store  that  was  open  three  days  a  week. 
That’s  increased  dramatically.  We’re  looking 
at  the  ballparks  and  their  perimeters  in 
whole  new  ways.  I  believe  we've  become  a 
model  for  public-private  partnerships  in 
terms  of  working  with  local  authorities,  the 
teams  themselves  and  the  fans  to  improve 
security.  We’re  not  perfect,  but  we’re  getting 
things  done. 

And  we’re  not  just  thinking  about  isolated 
terrorist  incidents.  We're  thinking  about 
earthquakes  and  blackouts. 

Do  you  profess  allegiance  to  any  particular 
baseball  team? 

Yes,  all  30  of  them.  You’re  talking  to  a  guy 
who  loves  his  job.  ■ 


64  www.csoonline.com  October  2003 


ILLUSTRATION  BY  PATRICK  MEREWETHER 


In  a  government  sponsored  trial  of 
biometric  security  systems, 

LG  IrisAccess 
outperformed  every 
other  system  tested, 

proving  to  be  far  more  accurate.  Far 
faster.  And  over  1000  deployments 
confirm  it. 


sK- 


LG  IrisAccess™  Iris  Recognition  Systems  provide  unparalleled 
security  for  people  and  property.  The  winner  in  head  to  head  testing. 
Proven  in  over  1000  installations,  worldwide.  LG  IrisAccess  makes 
world-class  security  surprisingly  affordable.  Visit  lgiris.com/report. 
And  see  the  difference  it  can  make  to  your  security. 


The  iris  identity  experts." 


LG  IrisAccess  3000 


LG  IrisAccess  is  produced  under  a  technology  license  from  Iridian  Technologies,  Inc.  ©2003  LC  Electronics  USA 


The  right  management  should  do  more  than  just  protect. 

It  should  also  enable. 

eTrust™  Security  Management  Software 

With  eTrust  security  management  software,  your  information  isn't  just  safeguarded  from  internal  and  external  threats. 
We  provide  authorized  customers,  partners,  and  employees  with  appropriate  access  that  can  help  your  business  grow. 
In  addition  to  securing  data,  eTrust  also  provides  a  single  view  of  your  security  environment,  so  you  can  make  real-time 
decisions  based  on  comprehensive  information.  If  you're  looking  for  ways  to  minimize  risk  while  maximizing  your 
potential,  or  to  get  a  white  paper,  go  to  ca.com/security. 

Computer  Associates® 

©  2003  Computer  Associates  International,  Inc.  (CA).  All  rights  reserved. 


